Sie sind auf Seite 1von 111

Review: Oce 365 vs. Google Apps p.



O C TO B E R 2011 | W I N D O W S I T P R O.CO M | W ER E I N I T W I T H YO U

Defend Yourself Against

Threats p. 19

Outlook 2010:
Enable RemoteFX p. 26 Reply to
Database Maintenance in Emails p. 39
Exchange 2010 SP1 p. 31
Buyers Guide:
Leverage Multipath I/O Windows Scripting
for iSCSI p. 35 Editors p. 53
Digital Edition Copyright Notice

The content contained in this digital edition (Digital Material), as well as its
selection and arrangement, is owned by Penton Media, Inc. and its affiliated
companies, licensors, and suppliers, and is protected by their respective copyright,
trademark and other proprietary rights.

Upon payment of the subscription price, if applicable, you are hereby authorized
to view, download, copy, and print Digital Material solely for your own personal,
non-commercial use, provided that by doing any of the foregoing, you
acknowledge that (i) you do not and will not acquire any ownership rights of any
kind in the Digital Material or any portion thereof, (ii) you must preserve all copyright
and other proprietary notices included in any downloaded Digital Material, and (iii)
you must comply in all respects with the use restrictions set forth below and in the
Penton Privacy Policy and the Penton Terms of Use (the Use Restrictions), each
of which is hereby incorporated by reference. Any use not in accordance with, and
any failure to comply fully with, the Use Restrictions is expressly prohibited by law,
and may result in severe civil and criminal penalties. Violators will be prosecuted
to the maximum possible extent.

You may not modify, publish, license, transmit (including by way of email, facsimile
or other electronic means), transfer, sell, reproduce (including by copying or
posting on any network computer), create derivative works from, display, store, or
in any way exploit, broadcast, disseminate or distribute, in any format or media of
any kind, any of the Digital Material, in whole or in part, without the express prior
written consent of Penton Media, Inc. To request content for commercial use or
Pentons approval of any other restricted activity described above, please contact
the Reprints Department at (888) 858-8851. Without in any way limiting the
foregoing, you may not use spiders, robots, data mining techniques or other
automated techniques to catalog, download or otherwise reproduce, store or
distribute any Digital Material.






4 Microsoft Ups the Ante

with SQL Server Denali
SQL Server 2008 R2 and the upcoming
SQL Server Denali release have so
much additional functionality that
the product has evolved beyond a
relational database to an enterprise
data platform.


5 HP Drops a Grenade
and Google Purchases
19 Protect Against Advanced Persistent Threats Patent Protection
To gua
uard aga
g ins
nst A
nst APTs
PTs, o
rga nizati
ions shoul
ould keep
ould keep th
eir sy
s stems and ne
works up
-date, u
use Why HPs defection from the PC market
ivirus so
rus s ftw
are, p
rac ticee the
tic the pri
l of le
ast pri
as priviileg
lege, adopt meeaningful
f policies, and educate shouldnt have been a surpriseplus,
their employees about best security practices. what Googles Motorola purchase
BY JOHN HOWIE means to the smartphone market.


Editors Note:: We are pleased to be able to 39 Outlook 2010: Reply to 8 Find Users with
bring you extra content this month in the form Get-ADUser
of the SharePoint Pro supplement youll find at Autoforwarded Emails Get-ADUser is a helpful member of
the back of this magazine. You can find more Learn how to reply to email messages that were Windows Server 2008 R2s 76-cmdlet
great SharePoint news and technical content at forwarded from your own account on another PowerShell team that lets you retrieve
network, including where to put your code and AD user objects. Learn how it works.
how to identify forwarded emails.


Server Denali
26 RemoteFX 16 Reader to Reader Microsoft SQL Server Denali will include
important features for the enterprise,
RemoteFX improves the capabilities available to Find out when FAT can be invaluable and how
users connecting to Microsoft Virtual Desktop such as new developer tools, improved
to install Microsoft Security Essentials without security, and enhanced architecture.
Infrastructure (VDI) environments and eliminates leaving your desk.
many of the past restrictions.
Learn how to let non-administrators perform
activation actions on clients; find out what
11 Federation at
31 Database Maintenance VMware vShield is; and discover what the Microsoft
in Exchange 2010 SP1 terms access token, security descriptor, and
impersonation mean in relation to the Windows
To find out how Microsoft runs its
federation service, Sean sat down
Although most Microsoft Exchange Server
authorization process. with Laura Hunter, identity and access
database maintenance is ongoing, some
management architect for Microsoft IT,
on-demand repairs are necessary to remedy
at the Cloud Identity Summit.
problems at both the logical and physical level.

35 Microsoft Multipath I/O 13 Give Microsofts
for iSCSI Scalable Networking Pack
Microsoft Multipath I/O (MPIO) is designed to 63 Directory of Services
Another Look
help businesses build highly available, fault-
tolerant SAN configurations, as well as improve 63 Advertising Index Increase network performance by
utilizing these Microsoft-endorsed best-
BY JOHN HOWIE 63 Vendor Directory practice recommendations surrounding
Receive-Side Scaling and TCP Chimney
64 Ctrl+Alt+Del Offload.

Access articles online at Enter the article ID (located at the end of each
article) in the InstantDoc ID text box on the home page.


PRODUCTS Editor in Chief
Amy Eisenberg
Peg Miller
44 New & Improved Senior Technical Director Director of IT Strategy and Partner Alliances
Check out the latest products to hit the marketplace. Birdie J. Ghiglione
Michael Otey
Technical Director Online Sales Development Director
Sean Deuby Amanda Phillips
REVIEW Senior Technical Analyst Key Account Director
45 Pauls Picks Paul Thurrott
Chrissy Ferraro
Find out why Microsoft Touch Mouse falls short, and Industry News Analyst Account Executives
discover one way to learn how to become a developer Jeff James Barbara Ritter
on Apple iOS. 858-367-8058
BY PAUL THURROTT Custom Group Editorial Director Cass Schulz
Dave Bernard 858-357-7649
Developer Content Client Project Managers
REVIEW Anne Grubb Michelle Andrews 970-613-4964
46 vCloud Express Exchange & Outlook
Kim Eck
Ad Production Supervisor

VMwares cloud-based virtualization solution makes it Brian Winstead Glenda Vaught
easy to provision test virtual machines (VMs).
BY TONY BIEDA Systems Management, Networking, Hardware
Jason Bovberg
Security, Virtualization Customer Service
REVIEW IT Group Audience Development Director
Jeff James
47 vWorkspace SharePoint
Marie Evans
Create a unified view of your desktop virtualization Marketing Director
Caroline Marwitz Sandy Lang
environment, with applications delivered seamlessly
from multiple sources. SQL Server
Managing Editor
Lavon Peters
48 Dell KACE K2000 Editorial Assistant
Blair Greenwood
This client OS deployment appliance supports both
Mac OS and Windows OS images.
CONTRIBUTORS Chief Executive Officer
BY ORIN THOMAS Sharon Rowlands
SharePoint and Office Community Editor
Dan Holme
Chief Financial Officer/Executive Vice President
Senior Contributing Editors
49 Office 365 vs. Google Apps David Chernicoff T E C H N O LO G Y G R O U P
You might be aware of the back-end advantages Mark Minasi
of choosing Microsoft Office 365 or Google Apps, Senior Vice President, Technology Media Group
but what will your end users experience with each Paul Robichaux
Kim Paulsen
offering? Find out what users will get and what theyll Mark Russinovich
give up. John Savill
BY ZAC WIGGY Windows, Windows Vista, and Windows Server
Contributing Editors
are trademarks or registered trademarks of Microsoft
Alex K. Angelopoulos Corporation in the United States and/or other countries
Michael Dragone and are used by Penton Media under license from
BUYERS GUIDE owner. Windows IT Pro is an independent publication

53 Windows Scripting Editors Jeff Fellinge

Brett Hill
not affiliated with Microsoft Corporation.


A scripting editor can make it easier to develop, debug,
Darren Mar-Elia Submit queries about topics of importance to Windows
and maintain Windows IT administrative scripts. This managers and systems administrators to articles@
buyers guide presents a range of product choices Tony Redmond
to help you select an editor that fits your needs and Eric B. Rux
budget. William Sheldon PROGRAM CODE
BY ANNE GRUBB Curt Spanburgh
Unless otherwise noted, all programming code in this
issue is 2011, Penton Media, Inc., all rights reserved.
Orin Thomas These programs may not be reproduced or distrib-
uted in any form without permission in writing from
Douglas Toombs the publisher. It is the readers responsibility to ensure
58 Industry Bytes Ethan Wilansky procedures and techniques used from this publication
are accurate and appropriate for the users installation.
Google+ brings some new and innovative features No warranty is implied or expressed.
to the table, making it far more than just another ART & PRODUCTION
Facebook competitor; smartphone app addiction LIST RENTALS
Production Director
is real, andsurprisinglybeneficial; and Microsoft Contact MeritDirect, 333 Westchester Avenue,
System Center Service Manager (SCSM) lets users Linda Kirchgesler White Plains, NY or
initiate Microsoft System Center Orchestrator Senior Graphic Designer REPRINTS
runbooks. Diane Madzelonka,,
Matt Wiebe 216-931-9268, 888-858-8851

SQL Server has been the clear mindshare

leader in enterprise databases since SQL
Server 7.0 delivered OLAP Services with no
additional licensing costs back in 1998.

Microsoft Ups the Ante with SQL Server Denali

SQL Server has evolved from a relational database to an enterprise data platform

t this years Professional Association for SQL Server R2 and the upcoming SQL Server Denali release have so much
(PASS) conference, Microsoft and numerous other additional functionality that the product has evolved beyond a
industry experts are presenting a variety of sessions relational database to an enterprise data platform.
showcasing the latest release of SQL Server, code- Although the foundation for SQL Server Denali is the relational
named Denali. Expected to be released around the database engine, thats really just the tip of the iceberg. SQL Server
end of the year, Denali really ups the ante for what Denali also includes five other subsystems that each provide sig-
an enterprise relational database product delivers. nificant additional functionality beyond pure relational database
According to Gartner Research, SQL Server 2008 R2 and SQL capabilities. First, theres the BI engine thats delivered in the
Server Denali are number two in the enterprise database market, Analysis Services subsystem. Analysis Services is the successor
as measured by total revenue. Gartners 2010 survey of the rela- to the older OLAP Services and it enables fast ad-hoc decision
tional database market revealed that Oracle still holds the top spot support queries. Next, theres the Integration Services subsystem.
with 44 percent of the market. Microsoft and SQL Server moved Integration Services is Microsofts extraction, transformation, and
from third place to second place with 18.4 percent of the market. loading (ETL) tool that can transfer and transform data loaded
IBM is now in the third position with 13.3 percent of the relational into both data warehouses and relational databases. Next, Report-
database market. Although that might seem like a big separation ing Services is able to surface both relational OLTP data and BI
between number one and number two, remember that Gartners OLAP data in a variety of formats that can be included in your
research is measured by revenuenot seatsand Oracle is much applications and management dashboards. The combination of
more expensive than SQL Server. Microsoft research indicates that Analysis Services, Integration Services, and Reporting Services
SQL Server is first in terms of units sold. forms the core of Microsofts BI platform. In addition, SQL Server
More important than sales figures is the fact that SQL Server has 2008 includes Master Data Management Services, which enables
been the clear mindshare leader in enterprise databases since SQL companies to create a single authoritative data source by inte-
Server 7.0 delivered OLAP Services as a part of the product, with no grating definitions from multiple disparate databases. To this,
additional licensing costs, back in 1998. The path from those earlier Denali will add Data Quality Services, a data cleaning subsystem
releases to todays SQL Server has been marked by a number of designed to make sure enterprise data conforms to an organiza-
significant innovations. First, Microsoft needed to deliver on the tions business rules.
enterprise part of the relational database. Since those early days, Other important features that the Denali release will include
SQL Server has evolved from a departmental relational database are the new AlwaysOn high-availability feature, which combines
back in the SQL Server 6.5 days to the enterprise-ready data plat- the best of Windows failover clustering and database mirroring; the
form that it is today. Questions about SQL Servers suitability for new SQL Server Development Tools IDE, which provides a unified
enterprise scalability have been laid to rest for good since the SQL development experience for both relational and BI developers; the
Server 2000 release almost 11 years ago. SQL Servers relational new columnar index feature, which can speed up data warehous-
database enterprise scalability t has been proven by thousands ing queries by up to 100x; and the new Project Crescent, which is
of organizations, not to mention many number one and top ten designed to enhance end-user data visualization.
TPC-E, TPC-H, and TPC-E scores. The upcoming SQL Server Denali release is no gamble. SQL
Enterprise scalability laid the foundation that allowed SQL Server might not be the market leader in enterprise database
Server to compete head-to-head with Oracle and IBM, but it was market revenue, but its most definitely the leader in the features
the other innovations that made SQL Server the mindshare leader. it brings to market. It provides more bang for the buck than any of
Although other enterprise databases had business intelligence (BI) the other enterprise-oriented relational databases.
features available, all of those features were expensive add-ons InstantDoc ID 140298
(in some cases, very expensive). Adding BI to the base product
MICHAEL OTEYY ( is senior technical director
was instrumental in enabling the entire BI market to grow from a for Windows IT Pro and SQL Server Magazine and author of Microsoft SQL Server
niche segment to mainstream technology. Todays SQL Server 2008 2008 High Availability with Clustering & Database Mirroring (McGraw-Hill).

4 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Yes, Android has other issues around OS
version fragmentation and so on. But its now highly
unlikelyimpossible, reallyfor Apple to try and
block the sale of Android devices generally.

HP Drops a Grenade and Google Purchases Patent


generally like to cover a wide range of topics in this col- market, this just isnt HPs forte. One wonders if Dell, which today
umn, but two blockbuster tech industry announcements offers a similar mix of PCs and corporate services, is next. Though
dominated the headlines this summer and will have lets be honest here: A month ago, few people were wondering
ramifications for years to come. So lets dive right into what about such things. That the top PC maker would simply give up is
can only be described as the most interesting year for tech nothing short of a bombshell.
news in a long while. Which leads naturally to Microsoft. HP wasnt just Microsofts
biggest PC maker partner, it was also the software giants closet
HP Drops a Grenade in Room, Runs companion, the one company that would follow wherever Micro-
PC giant Hewlett-Packard (HP) made several blockbuster revela- soft led. Anytime a Microsoft product came to market, HP was
tions in mid-August, and attached them, for some reason, to its there with the corresponding hardware. It reads like a Whos-Who
otherwise decent quarterly financial results announcement. The list of forgotten Microsoft products, from the Pocket PC and Win-
firm said it would purchase corporate search software maker dows Mobile to Media Center and the Tablet PC. It was corporate
Autonomy for $10.3 billion, would stop selling its webOS-based codependency as its most obvious.
smartphones and TouchPad tablet, and was examining whether In the finest traditions of Monday morning quarterbacking,
to sell or spin off its PC business. HP, in other words, is following however, we should have seen this one coming. HP, of all compa-
in the footsteps of IBM. nies, purchased ailing Palm and promised to unleash its webOS
Curiously, the webOS piece of the announcement got the most platform not just on smartphones, but on tablets and, get this, even
press. But the other two revelations are far more important. HP is on its PCs. Thats right: HPs plan was to deliver PCs to consumers
attempting to do what IBM did before it, which is to reinvent itself and businesses that would dual-boot between Windows and Palm
as a purely corporate-focused provider of software and services. webOS, offering a choice, yes, but also a not-so-subtle shiv in the
That HP would drop its PC business is, perhaps, the most side of Microsofts decades-long strategy.
shocking. At the time of the announcement, HP was the number This plan seemed curious at the time, but it never came to
one PC maker in the world, selling far more units per quarter than fruition, seeming more fantastical than real. But we should now
its closest rival, Dell. (According to IDC, HP controls 18 percent see HPs webOS experimentfailed along with the poor-selling
of the worldwide market for PCs, compared to 11 percent for webOS-based TouchPad tablet that no one seemed to wantas
number-two Dell.) the wake-up call that it is. Here was Microsofts biggest and closest
So why the exit strategy? HP, like the old General Motors, is a big partner buying its own platform so it could step out of Microsofts
company that brings a lot of overhead to every physical product it shadow and provide complete, HP-based software and hardware
sells. But the PC market is a low-end, cut-rate commodity market, solutions to customers. Clearly, the company had been planning
except for Apple, which has nicely established itself as the only something for a long time now, some seismic strategy shift. That it
high-end PC maker that customers actually consider. And HPs moved so quickly to kill off both webOS and its PC businessthe
strategy to play in Apples territory has failed on two counts: Its TouchPad was barely on the market two monthsis interesting.
expensive MacBook Pro knock-offs, the Envy line of PCs, have been HP is clearly serious about remaking itself.
ignored by consumers. And its attempt to copy the success of the For HPs customers, there are many questions and few answers.
iPhone and iPad via its blockbuster purchase of Palm a year ago Both webOS and the HP PC business could be spun off, together or
has been even less successful: Smartphones based on Palm webOS separately, or sold to other parties. Samsung allegedly was in talks to
fall into the Other category in smartphone market share reports purchase the PC business earlier this year, for example. I expect HP,
and havent dented the market in the slightest. Even Windows like IBM, to continue to support its PC products, and like IBM, to resell
Phone looks like a powerhouse by comparison. PCs from whatever company does walk away with this business.
Looking just at HPs PC business, there are heady revenues That said, HPs exit from the PC business and from the broader
($40.7 billion for its previous fiscal year) but relatively tiny profits consumer market changes everything, not just for Microsoft,
($2 billion for the same time frame). And while smaller PC makers but for the many other companies that are trying to compete in
like ASUS, Acer, and Samsung may be able to flourish in such a these markets. For entrenched successes like Google, with its

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 5

Android-based products and services, and a subset of the tech punditry that argues that this cabal was allying against it and
Apple, with iOS (iPhone, iPad), HPs exit is (without really knowing one way or the would use those patents as a club in order
confirmation that their focus on post-PC other) that many of these patents could to get Google to pay.
products and services is the right one. For ultimately be found invalid if they were That was exactly their plan, of course.
other big PC makersDell, and possibly tested in a legal setting. But such issues, So in August, Google announced a block-
LenovoHPs move is perhaps something as with a general call for patent reform, buster purchase of its own: The company
theyve considered themselves. And for the are beside the point: Patents are part of will purchase Motorola Mobility for $12.5
smaller PC players, HP is providing them the business, so this is the environment in billion, picking up an Android hardware
with a chance to make new moves in this which these companies must compete. maker (and somewhat souring its relation-
post-netbook PC market. Enter Google: The online giant has a ship with other partners in the process).
Besides my GM comparison previously, nearly unlimited supply of cash thanks to But Motorola is most interesting because
the parallels with the car market are every- its successful advertising efforts, which of its 17,000 patents, many of which are
where. Just as todays Hyundais, Kias, and feed off the companys near-monopoly related to the mobile industry.
Smart Cars would have been inconceiv- search engine. To jumpstart its mobile And with this purchase, Google finally
able to American car buyers 30 years ago, efforts, Google elected to give away its has purchased the patent protection that
the notion that the Acers, ASUSes, and Android mobile OS rather than charge a Android requires. This gives Google the
Samsungs of the PC world could be major per-unit licensing fee as, say, Microsoft defense it needs when Apple, Microsoft, or
players today would have been inconceiv- does. This strategy comes with various other companies come complaining about
able to buyers of the first PCs. The times pros and consagain, a topic for another Androids patent infringements. Because
they are a-changing. discussionbut the result is not debatable: its highly likely that these companies
Google now owns 43 percent market share mobile products are themselves infringing
Google, Android, and Motorola for smartphones, a heady leap over the 17 on Motorolas patents. And heck, why go to
Previous to the HP late-summer block- percent it commanded a year ago. And its court when you can simply cross-license?
buster, the big tech news of the year lead over Apple and the other smartphone What this means to potential customers
involved escalating mobile industry pat- makers is growing day by day. of these devices is that a cloud that once
ent skirmishes, which seemed destined to Someincluding yours trulyhave loomed over Android is now removed. Yes,
drag Apple, Google, Microsoft, RIM, and argued that Google is following in Micro- Android has other issues around OS version
other players into full-blown warfare. Then softs antitrust footsteps by using its domi- fragmentation and so on. But its now highly
Google simply purchased handset maker nance in one market (in this case, search/ unlikelyimpossible, reallyfor Apple to try
Motorola Mobility, not for its phones but its advertising) to dump another no-cost prod- and block the sale of Android devices gener-
patents. With that move, the mobile indus- uct (in this case, Android) in a new market. ally. (This is a strategy Apple is currently
try suddenly seemed destined for more of More to the point, however, Google never using against Android licensee Samsung
a quiet, Cold Warstyle, barely-disguised established a portfolio of patents related in Europe.) Which means, going forward,
animosity between these companies. to its mobile industry products. Until this Android and iPhone will likely continue to
How we got to this point is convoluted, year, however, the other companies in the carve up the top 60 percent of the market
but the short version goes like this: With the smartphone industrythe companies that or so for themselves, leaving the rest of the
tech industrys seemingly inevitable move would like to license their own technolo- market to also-rans like RIM BlackBerry and
from traditional computers to mobile devices gies to others, like Googlenever really Microsoft/Nokia Windows Phone.
such as smartphones and tablets, those who threatened Google with patent violation I dont believe that Google intends to
wish to play in this new marketplatform claims, even though Android is clearly do anything interesting or exciting with
makers like Apple, Google, and Microsoft, infringing on numerous mobile patents. Motorolas handset business or other hard-
but also the hardware makers (HTC, LG, Instead, these companies went after the ware (the company also makes cable TV set
Samsung) that resell those platformsare smaller companieslike HTC, Motorola, top boxes). That would create too much
jockeying for position. And as Apple CEO and Samsungthat sell Android-based of a strain on Googles partners and could
Steve Jobs noted when he announced the phones. This makes sense from a strategic lead to a diminished role for Android. Thus,
first iPhoneweve patented the hell out sense, since these smaller companies cant I expect Google to spin or sell Motorolas
of itthe prime bargaining chip that any afford to be held up in court for years at a hardware business as soon as possible.
of these companies has is often the patents stretch, as Google could. But it also allowed (Note that the Motorola sale, if approved by
that protect their inventions. Google to continue dumping Android and regulators, wont happen until 2012.)
These patents are used in different establishing itself, arguably unfairly, as the InstantDoc ID 139895
ways, but the most common is cross-licens- market leader.
ing, where two companies each license the So this year, Google became the target. the senior technical analyst for Windows IT Pro. He
others patents. When companies refuse to And when Apple, Microsoft, RIM, and writes the SuperSite for Windows (winsupersite
license anothers patents, they are threat- other companies purchased a Nortel pat- .com), a weekly editorial for Windows IT Pro UPDATE
(, and a daily
ened then sued. Oddly, few of these cases ent portfolio for $4.5 billion, Google cried Windows news and information newsletter called
have gone to court, and indeed, theres foul, complaining to the US government WinInfo Daily UPDATEE (

6 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Get-ADUser is a strong tool
that every AD administrator
should start using.

Find Users with Get-ADUser

This handy Active Directory tool is part of the 76-cmdlet PowerShell collection

ver the 11 years that Active Directory (AD) has been -ff would be too ambiguous and I wouldnt be able to abbreviate it
around, weve seen a number of automation tools smaller than -fil.
that can extract subsets of AD. The latest in that line Second, whats with GivenName? The names of AD user attri-
Get-ADUseris a member of Windows Server 2008 butes come from the X.500 standard schema, andfor whatever
R2s 76-cmdlet PowerShell team. Its a strong tool that reasonthe folks who cooked up X.500 chose to use the more
every AD administrator should start using, so its the European phrase GivenNamee (rather than FirstName). If youve
focus of this months column. used ADSI Edit, you already know this, but what you might not
Essentially, all youll need in order to run Server 2008 R2s AD know is that the folks who wrote the AD cmdlets took things further
cmdlets is at least one Windows 7 or Server 2008 R2based mem- by offering multiple versions of some attributes. For example, the
ber server (from which to issue the commands) and at least one X.500 phrase for last namee is sn, which is short for surname. (Dont
Server 2008 R2based domain controller (to receive and execute ask me why the X.500 folks didnt use gn as the attribute for first
the commands). I say essentially because you can actually get a name!) Anyway, youll find that PowerShell cmdlets recognize both
preServer 2008 R2 DC to understand PowerShell commands, but sn and surnamee as valid user attributes. You can, however, easily
thats a long story for another day. see a complete list of attributes that user Mark has, like so:
To start finding user objects with Get-ADUser, open a Power-
Shell window and import the AD module by typing import-module get-aduser -f {name -eq 'Mark'} -properties *| get-member
activedirectory,y or its shortened version, ipmo ac*. If youve ever
used a PowerShell cmdlet that starts with get- (e.g., get-process, get- Save that commands output! It's a useful listing of the layout of AD
service), you might imagine that you could simply type get-aduser, user objects and thus will simplify crafting queries in the future.
and then PowerShell would show you all the users, but that doesnt Third, youve probably guessed that -eq q is PowerShell-speak for
happen. Rather, PowerShell prompts you for some parameters. is equal to. You cant use an equals sign in your queries, so -f {name
The parameter youll use most commonly is -filter, r which lets = 'Mark'}} won't fly. You might be surprised, however, that the fol-
you insert criteria for picking out the users you want. The most lowing wont work either (or at least not the way youd expect):
basic one is
get-aduser -f {name -eq 'M*'}
get-aduser -filter *
PowerShell draws a distinction between comparisons that contain
which tells PowerShell to retrieve every user account in your AD wildcards and those that dont. For an exact-match search, use -eq.
implementation. I highly recommend that you do nott run that For one incorporating a wildcard, use -like, as in
command on your production network unless its very small or you
dont mind overloading your local DC. I recommend getting pickier, get-aduser -f {name -like 'M*'}
as in this example that finds all users whose first names are Mark:
Ive been comparing namee to Mark k with a capital letter, but I
get-aduser -f {GivenName -eq 'Mark'} should mention that the AD PowerShell cmdlets are case-insen-
sitive. PowerShell experts might know that you can, in general,
If you run that command on a network that lacks anyone named specify case-sensitive comparisons by using the -ceq q operator
Mark, PowerShell will return a prompt with no explanatory text. instead, but note that you cant do that with the AD cmdlets.
That example raises a number of concerns, however, so let me Theres no -ceq
q support there.
provide a few explanatory notes. Querying on a first name is, of course, a pretty simple query.
First, notice that I typed -ff not -filter. PowerShell lets you Next month, Ill show you some more in-depth queries.
abbreviate any parameter name as much as you want, as long as InstantDoc ID 140069
the abbreviation doesnt create ambiguity. The only parameter
MARK MINASI ( is a senior contributing editor
that starts with the letter f is -filterr, which is why you can shorten it for Windows IT Pro, an MCSE, and the author of 30 books, including Mastering
down to -ff But if this cmdlet had a -fingerr parameter, for example, Windows Server 2008 R2 (Sybex).

8 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

TOP 10
Denalis support for Server Core enables leaner
and more efficient SQL Server installations and
reduces potential attack vectors.

New Features in SQL Server Denali

Youll get better tools, improved security features, and enhanced architecture

T 5
he next release of Microsoft SQL Server, code-named Change data capture (CDC) for OracleCDC lets you
Denali, is right around the corner. Microsoft has just keep large tables in sync by initially moving a snapshot to a
released Denali CTP3, and the final release is expected target server, then moving just the captured changes
by the end of the year. Denali continues SQL Servers between the databases. With the SQL Server 2008 release, CDC was
climb into the enterprise with a number of important limited to use in SQL Server. A big improvement in the Denali
features. Here are the top 10 most significant new fea- release is the addition of CDC for Oracle.
tures in the SQL Server Denali release.

T-SQL enhancementsTwo of the most important T-SQL
SQL Server Developer ToolsDenali provides a new devel- enhancements in Denali are the addition of the Sequence
10 opment environment, SQL Server Developer Tools, code- object and the window functions. Sequence lets you tie
named Juneau. Juneau uses the Windows Presentation unique row identifiers across multiple tables. The new window
Foundationbased Visual Studio 2010 shell, and it unifies develop- functions apply to sets of rows using the new OVER clause.
ment for Business Intelligence Development Studio and Visual Stu-

dio. Juneau aims to make the development environment consistent Columnar store indexThe columnar store index, or col-
for both SQL Azure and the on-premises version of SQL Server. umn-based query accelerator, uses the same high perfor-
mance/high compression technology as PowerPivot, and it

Contained databasesContained databases make it easy to brings that technology into the database engine. Indexed data is
move databases between different instances of SQL Server. stored according to the data of each column rather than by the
With Denali, users dont need logins for the SQL Server rows, and only necessary columns are returned as query results for
instance because all authentications are handled by the contained columnar indexes. Microsoft states this technology can provide up
database. Contained databases have no configuration dependencies to 100 times improvement in query performance in some cases.
on the instance of SQL Server that theyre hosted on and can be

moved between on-premises SQL Server instances and SQL Azure. Support for Windows Server CoreThe ability to run SQL
Server on Windows Server Core has been missing from

Project CrescentThe new data visualization tool, code- previous releases of SQL Server. Server Core is designed for
named Project Crescent, is closely integrated with Share- infrastructure applications such as SQL Server that provide back-
Point 2010 and Silverlight. Crescent makes it easy for users end services but dont really need a GUI on the same server.
to create great-looking data pages and dashboards by using data Denalis support for Server Core enables leaner and more efficient
models that are built using PowerPivot or from tabular data from SQL Server installations and at the same time reduces potential
SQL Server Analysis Services. attack vectors and the need for patching.

7 1
Data Quality ServicesValid
data is critical for making effec- AlwaysOnWithout a doubt, the most important new
tive decisions. Data Quality Services lets you set up a knowl- feature in SQL Server Denali is the new SQL Server
edge base that defines your metadata rules. You can then run AlwaysOn feature. AlwaysOn is essentially the next evolu-
Data Quality Services projects to apply those rules to data stored in tion of database mirroring. AlwaysOn supports up to four replicas.
a SQL Server data source. The Data Quality Services projects cleanse The data in the replicas can be queried, and backups can be per-
the data and allow viewing of good, invalid, and corrected rows. formed from the replicas. Although its still early, AlwaysOn seems
more complicated to set up than database mirroring because it

User-defined server rolesAn important security-related requires Windows Failover Clustering, but the advantages appear
feature in Denali is the addition of user-defined severs roles. to make it well worth the extra effort.
Earlier releases had fixed server roles that were predefined InstantDoc ID 140115
by Microsoft. These roles werent as flexible or granular as some
organizations wanted. The new user-defined server roles give
MICHAEL OTEY ( is senior technical director
organizations more control and customization ability over Denalis for Windows IT Pro and SQL Server Magazinee and author of Microsoft SQL Server
server roles. 2008 High Availability with Clustering & Database Mirroring (McGraw-Hill).

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 9

Federation isnt a nice to have add-on. It will
quickly become a mandatory high-availability
service of your IT infrastructure.

Federation at Microsoft
How Microsoft IT runs one of the worlds largest federation services

f youve been reading this column for a while, youre real- Perhaps surprisingly, a large number of these applications are
izing that sooner or later youll need to implement some on premises within the Microsoft network. An important feature
kind of federation service in your identity infrastructure. of claims-aware applications is that, to the applications, the tradi-
This service will allow you to provide single sign-on (SSO) to tional corporate firewall (the flaming brick wall, as security expert
cloud-based servicesboth on-premises and in the public Gunnar Peterson puts it) doesnt exist because all the applications
cloudfor your enterprise users, using their enterprise cre- traffic goes over always-open ports 80 (HTTP) or 443 (HTTPS). As a
dentials. If you dont provide SSO, your users will be forced to find result, claims-aware applications are very portable and are equally
their own ways of using these cloud service providers, and probably comfortable inside or outside that corporate firewall.
not in a way youd prefer. In this column, Ill review the production
federation service of a well-known enterprise: Microsoft. Microsofts IAM Environment
To find out how Microsoft runs its federation service, I sat down Figure 1 shows an overview of Microsoft ITs identity and access
with my friend and ex-Directory Services MVP, Laura Hunter, at the management (IAM) environment. It consists of three major areas:
Cloud Identity Summit. Laura is an ex-MVP because she accepted Microsofts internal network, called CorpNet; its extranet (DMZ),
a position as identity and access management architect for Micro- for collaboration with partners; and cloud services. Lets look at
soft IT, specifically for federation services. Besides her principal CorpNet first. Naturally, Microsoft uses all the identity tools at its
responsibilities with the federation infrastructure, she speaks at disposal, so it uses Forefront Identity Manager (FIM) to integrate
various conferences to show IT pros how federation is managed the companys HR database into the products metaverse. This
in whats probably the largest production federation environment metaverse is upstream of its AD environment and feeds select
in the world. HR data into it. As you might suspect, a company like Microsoft
with tens of thousands of developers has a pretty complicated AD
Federations History at Microsoft configuration.
Microsoft started dogfooding federation with the release of Its important to remember than when the phrase Log on using
Active Directory Federation Services (AD FS) 1.0 at the time of your enterprise credentialss is casually tossed around in federation
Windows Server 2003 R2. The companys original reason for imple- scenarios, this authentication process is often a lot more compli-
menting AD FS wasnt to provide access to what we now think of as cated than it sounds. Many companies dont have a single domain,
cloud applications (remember, this was around 2005), but to make or forest, that contains everyones user accounts. For a variety of
it easier for its employees to access Microsofts external provid- reasons, user accounts might be scattered across multiple forests.
ers. The first federated trusts for the company were payroll, HR, Microsoft, for example, has eight different AD production forests
employee benefits, and the Microsoft company store. Establishing comprising 18 production domains, any one of which might con-
these trusts made it possible for employees to use their enterprise tain a users corporate-sanctioned credentials. (Of course, there
Microsoft credentials to access the providers resources. are many test and development forests with separate, isolated
In 2010, Microsoft ITs upgrade of its federation service to AD credentials.) Because its not cost- or labor-intensive to provide
FS 2.0 with its support of the widely used SAML protocolcoupled separate federation services for each credential store, Microsoft
with the rise of cloud computingresulted in an explosion of use has configured its major account forests to use forest trusts with
for this service. Microsoft developers began creating new appli- selective authentication where required, to allow users to access
cations, and re-architecting existing applications, to use claims- resourceslike federationacross the forests. Along with the
based authentication instead of traditional integrated Windows multi-forest AD environment, ITs production AD FS service inter-
authentication. Laura estimates that Microsoft IT is currently acts with other claims sources (e.g., physical security), authoriza-
managing approximately 900 relying party trusts, though not all tion services, and more than 2,500 IT-supported line-of-business
of them are for production services. (There might be as many as (LOB) applications.
six trusts needed to support a production service at each stage of Microsofts extranet environment exists to allow Microsoft
its lifecycle, such as proof of concept, development, customer test, employees to sponsor credentials for partners and vendors for col-
integration test, and so on.) laboration purposes, and to allow these partners to access resources

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 11

Who are you trying to authenticate to what
An enterprise that wants to authenticate
its users to SaaS apps should probably
have an on-premises federation service. An
ISV that wants to make it easy for users to
authenticate to a cloud-based application
should probably host its federation service
in the cloud, too.
Laura likes to joke, If youre having
trouble setting up AD FS, its either a prob-
lem with PKI or a typo. On a more serious
note, she recommends that you build your
federation service with the end state in
mindin other words, plan for high avail-
ability from the beginning. Based on my
AD experience, Id suggest that you build
in lifecycle management for your federated
trusts from the start, just like you should be
doing lifecycle management for AD users,
Figure 1: Microsofts IAM environment groups, and computers.
Dont forget to also take the require-
such as SharePoint. An AD FS proxy is of thinking it isnt an important service. ments for an AD FS proxy into account.
another key component of the extranet, One way to think of a federation service is Youll want an AD FS proxy (an AD FS
which Ill review in more detail later. as a gateway between the Kerberos world installation option) as part of your architec-
Microsofts cloud computing environ- and the claims-based world. Claims-based ture in addition to the core AD FS service.
ment is an enormous and vitally important authentication uses claims wrapped in a Why do you need a proxy? Unlike the AD
facet of Microsofts computing story. This digitally signed token. FS service itself, the proxy doesnt have to
environment falls into three categories. The standard for enterprise authentica- be joined to a domain; its usually used in
Office 365Microsofts Software as a Ser- tion is AD, of course, and it uses Kerberos a DMZ to forward external authentication
vice (SaaS) version of its most popular tickets. Making enterprise authentication requests to the AD FS service. In Microsofts
desktop and server applicationsis used work with claims-aware applications means case, its used to allow employees outside
by Microsoft internally (in addition to the that tickets must be transformed to tokens, the corporate network to use claims-aware
services external customers) and uses the and vice versa. This transformation is the applications. It also allows extranet part-
DirSync service to synchronize identities main function of the Security Token Service ners to use some of these applications. Like
between corporate Office 365 users and (STS) component of a federation service the core AD FS service, it should also be
the service. Windows Azure is Microsofts such as AD FS. configured for high availability.
Platform as a Service (PaaS) offering. PaaS This means that as companies begin to Federation isnt a nice to have add-
provides a platform for developing SaaS use claims-aware applications both exter- on. It will quickly become a mandatory
applications. It was the first Microsoft nally and internally, the federation service high-availability service of your IT infra-
cloud computing product for the simple quickly becomes part of the mission-criti- structure. Leading by example, Microsoft
reason that Microsofts own developers cal infrastructure. Just count the number of IT demonstrates federations importance.
needed a platform for creating SaaS ver- arrows leading to and from AD FS and its To quote Microsoft Technical Fellow John
sions of the companys enterprise software. proxy service in Figure 1 to see how critical Shewchuk, Identity is the glue that binds
As you might expect, Windows Azure is it is to Microsoft! federated IT together. And a federation
very heavily used at Microsoft, and AD FS The advice that Laura would give to service, whether its maintained on prem-
along with the Windows Azure AppFabric companies that are planning a federation ises or hosted in the cloud, is the glue that
Access Control Service (ACS)facilitates service (note: that should be most of you) binds your AD environment and claims-
this. Finally, Microsoft uses a wide variety is to take a look at your requirements, aware applications together to help create
of third-party cloud computing service pro- because those requirements will deter- a federated IT.
viders and partners (such as the previously mine what kind of federation architecture InstantDoc ID 140319
mentioned payroll service). you need. She says, At the end of the day,
federation is pretty simple. Its about my SEAN DEUBY ( is
Federation Is Mission Critical people accessing your stuff, or your people technical director for Windows IT Pro and SQL
Server Magazine, and former technical lead of
Even though federation is a new service accessing my stuff, or my people accessing Intels core directory services team. Hes been a
in the IT world, dont make the mistake a providers stuff. Who are your customers? directory services MVP since 2004.

12 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

One Microsoft enterprise customer
was able to increase its stability to
levels never achieved before.

Give Microsofts Scalable Networking Pack Another Look

New best-practice recommendations surrounding Receive-Side Scaling and TCP
Chimney Offload

ack in 2007, Windows Server 2003 SP2 introduced a Many customers have also started to disable additional offload
set of networking performance featurescollectively features that have been stable across many OS releases. These
known as the Scalable Networking Pack (SNP)that offloads are typically named TCP Checksum Offload, IP Checksum
utilized hardware acceleration to process network Offload, Large Send Offload, and UDP Checksum Offload. They
packets and achieve higher throughput. Prior to are available to configure in network adapter advanced properties
SP2, these features were also available in an out- or configuration utilities. These features are not the same thing as
of-band update for SP1 as described in the Microsoft article The the SNP features, but customers often confuse them because of
Microsoft Windows Server 2003 Scalable Networking Pack release the similar naming. Also, many other performance enhancements
(, but werent widely deployed require these features.
by customers. The SNP features are commonly known as Receive-
Side Scaling (RSS), TCP Chimney Offload (sometimes called TOE), Receive-Side Scaling
and Network Direct Memory Access (NetDMA). In this months Prior to the introduction of SNP, receive-side network processing
column, Ill discuss performance specifics around RSS and TOE. in multi-core computers was conventionally bottlenecked by the
fact that a single CPU services all the interrupts from a network
Historical Problems adapter. RSS solves this problem by enabling a network adapter
Because of issues in the OS components and issues in network card to distribute its network-processing load across multiple CPUs in
drivers or system BIOS, customers who deployed Server 2003 SP2 on multi-core computers.
hardware that could utilize any of the three features often had prob- By not having RSS enabled, youre potentially wasting capac-
lems. Many customers resolved problems by disabling the features on ity and reducing overall load and network transactions that
Server 2003, and Microsoft released an update in the article An update each server can handle. This situation could result in higher
to turn off default SNP features is available for Windows Server 2003- costs, due to buying more hardware than you actually need,
based and Small Business Server 2003-based computers (support and due to additional infrastructure costs that come with the that would disable the three features. A additional hardware.
later update, A Scalable Networking Pack (SNP) hotfix rollup pack- For RSS to provide scalability, it must be enabled in the OS,
age is available for Windows Server 2003 ( which has a global impact on all network adapters, and it also
kb/950224), allowed customers to enable the features if needed, needs to be enabled in the individual network adapters through
but Microsofts recommendation is to leave the features disabled their advanced properties or configuration utilities. By default, in
unless theres a business need to enable them for higher network Server 2008 and Server 2008 R2, RSS is enabled. You can see if its
performance. In general, customers needing higher networking currently enabled or disabled by using the following command
performance should utilize Windows Server 2008 or Server 2008 R2, and looking at the resulting output:
due to the included next-generation TCP/IP stack.
C:\Users\Admin>netsh interface tcp show global
Fear in the IT Community Querying active state...
Because of the problems with SNP in Server 2003 SP2, the IT com-
munity quickly adopted the common practice to proactively and TCP Global Parameters
reactively disable these features. For Server 2003, this makes sense. ------------------------------------------------------------
But for Server 2008 and Server 2008 R2, disabling these features Receive-Side Scaling State : enabled
can often result in lower network performance and lower server Chimney Offload State : automatic
capacity. These features are very stable on Server 2008 R2 (with or NetDMA State : enabled
without SP1), and Server 2008 can achieve the same stability using Direct Cache Acess (DCA) : disabled
SP2 and additional hotfix updates. Unfortunately, disabling them Receive Window Auto-Tuning Level : normal
as one of the first steps to resolve networking issues is still a very Add-On Congestion Control Provider : none
common troubleshooting practice, with many problems not being ECN Capability : disabled
resolved due to disabling the features. RFC 1323 Timestamps : disabled

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 13

of computers that might benefit from hav-
ing TOE enabled. Servers with short-lived
connections, such as web servers or email
servers, might not see any benefit from it.
By default in Server 2008, TOE is dis-
abled. In Server 2008 R2, TOE defaults
to a new Automatic mode. You can see if
its currently set to automatic, enabled, or
disabled by using the following command
and looking at the resulting output line for
Chimney Offload State:

Figure 1: Checking whether RSS is disabled on a server C:\Users\Admin>netsh interface tcp

show global
Querying active state...

TCP Global Parameters

Receive-Side Scaling State : enabled
Chimney Offload State :automatic
NetDMA State : enabled
Direct Cache Acess (DCA) : disabled
Receive Window Auto-Tuning Level: normal
Add-On Congestion Control Provider: none
ECN Capability : disabled
RFC 1323 Timestamps : disabled

TOE also must be enabled in the network

Figure 2: The difference after enabling RSS adapter advanced settings, which also lets
you control which network adapters use it.
If RSS is disabled, you might see something with the number of processors on the Please see your network adapter documen-
like Figure 1. This picture is from the Per- server. Each adapter and manufacturer tation for more information.
formance tab in Task Manager, and you can has its own recommendations for settings, In automatic mode in Server 2008 R2,
see that Processor 0 is pegged at 100 percent so please see the vendor documentation to TOE considers offloading the processing
CPU, while the rest of the processors are determine optimal settings based on your for a connection only if the following cri-
running at lower utilization. Seeing Proces- environment and workload. teria are met. This allows TCP Chimney to
sor 0 at a much higher CPU utilization is a selectively offload connections, instead of
good indicator that RSS might be disabled TCP Chimney Offload all connections.
on a server. After enabling RSS, you can TCP Chimney Offload (often called TOE The connection is established through
see in Figure 2 the difference in processor by manufacturers) transfers TCP traffic a 10Gbps Ethernet adapter
utilization on the server as the CPU utiliza- processing from a computers CPU to a net- The mean round-trip link latency is less
tion for Processor 0 is now fairly close to the work adapter that supports TOE. Moving than 20 milliseconds
other processors right around 3:00 A.M. TCP processing from the CPU to the net- At least 130KB of data has been
RSS also relies on the network adapter work adapter can free the CPU to perform exchanged over the connection
offloads (which I mentioned earlier) that more application-level functions. TOE can
are on by default, known as TCP Checksum offload the processing for both TCP/IPv4 You can look at TOE connection details
Offload, IP Checksum Offload, Large Send and TCP/IPv6 connections if the network with the Netsh command netsh inter-
Offload, and UDP Checksum Offload (for adapter supports it. face tcp show chimneystats. If you notice
IPv4 and IPv6). So, if those have been dis- Because of the overhead associated extremely slow network performance
abled for a network adapter, RSS wont be with moving TCP/IP processing to the net- thats greatly improved by disabling Chim-
used for that network adapter. work adapter, TOE offers the most benefit ney, please see the Microsoft article The
Also, some network adapters have to applications that have long-lived con- SACK option is always set to true even if
advanced settings to control the number of nections and transfer a lot of data. Servers network adapter does not support SACK
processors used for RSS and also the num- that perform long-lived connectionssuch for offloaded connections in Windows 7
ber of RSS Queues. A common mistake is to as database replication, file serving, or per- or in Windows Server 2008 R2 (support
set the RSS processor very low, compared forming backup functionsare examples

14 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Table 1: RSS and TOE Recommendations for Each Server Version For SNP features, we highly recommend
Windows Server 2008 leaving RSS enabled in the OS and network
Service Pack 2 (required) adapter settings. We recommend you leave
Install hotfix for KB 979614 TCP Chimney set at Automatic for Server
Install hotfix for KB 967224 2008 R2 and disabled for Server 2008.
Re-enable RSS in the OS and network adapters If youre using NIC Teaming, please use
Update network adapter drivers to latest recommended manufacturer version the latest version of the network card drivers
Adjust RSS settings for network adapters based on manufacturer recommendations and additional software required to create
Update antivirus software to latest versions/engines and definitions teams with your network cards, and follow
the manufacturer recommendations for
Windows Server 2008 R2 TCP Chimney. Older versions of some NIC
Service Pack 1 recommended Teaming software didnt work with RSS, but
If not on SP1, install hotfix for KB 977977 and 979612 that isnt a problem with newer versions.
If on SP1, install hotfix for KB 2519736 We highly recommend that you leave
If using TCP Chimney Offload, install hotfix for KB 2525390 all other offloads that can be configured in
Consider hotfix in KB 2511305 network adapter advanced settings at their
Re-enable RSS in the OS and network adapters default settings (normally Enabled), since
Update network adapter drivers to latest recommended manufacturer version disabling them might disable other perfor-
Adjust RSS settings for network adapters based on manufacturer recommendations mance features that depend on them.
Update antivirus software to latest versions/engines and definitions InstantDoc ID 140350

TOD EDWARDS (tod.edwards@microsoft

Best-Practice Recommendations recommendations, one Microsoft enterprise .com) is a senior supportability program
Through trial and error, weve established customer was able to increase its Exchange manager at Microsoft, focused on identifying and
some general guidelines that have been Server capacity and stability to levels never mitigating the top causes of networking-related
issues in Windows Server. He has written and
adopted with great success in some customer achieved before. Table 1 provides a list of what contributed to a variety of technical content for
deployments. For example, following our is recommended for each server version. Windows Client and Server products.

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 15

NTFS vs. FAT Microsoft Security Essentials


An Old But Still Useful Technology Although RAID configurations protect 3. Copy the extracted files to your
NTFS is secure, reliable, and self-healing. It data, they can hurt performance. servers shared folder.
provides a solid foundation for data storage; Use FAT32 instead of NTFS on disk 4. Download the free PsTools suite
however, NTFS cant compete with FAT in one partitions where the cached video data (
area: speed. FAT has been always faster than was stored. bb896649) and extract the files to a folder on
NTFS. FAT has much less overhead because your machine.
its not secure, reliable, or self-healing. We decided to try these changes, so
Systems administrators who we us
used individual disks without With the preparation done, you can
love solid, reliable performance RA
RAID and used FAT32 to parti- install MSE. Lets say that you intend to install
prefer to use NTFS instead tio
tion them. The results turned it on a Windows XP machine named PC1 and
of FAT. However, FAT can be o
out to be better than we had the executable is on Server1 under a shared
invaluable in applications in h
hoped. There is no hard disk folder named Software. The only thing you
which speed is the overriding b
bottleneck now. The Avg. Disk need to do is open a command prompt on
consideration, such as in IP TV Q
Queue Length counter has been your computer and execute the following
applications. In these applica- con
constantly under 1 and often close command from the PsTools directory:
tions, TV signals from satellites are e to 0. No special action is
Murat Yildirimoglu
encoded to digital data. This data is typi- required to control frag- Psexec.exe \\PC1 -S
cally fed to Windows servers, which dis- mentation because the fi files are very \\Server1\Software\
tribute it to secondary servers. The secondary small and cleaned out periodically. mssefullinstall-XP-x86\setup.exe
servers, in turn, pass the data to clients. Murat Yildirimoglu, MCSE, MCT /S /runwgacheck /o
Video data consists of many tiny fi files InstantDoc ID 140109
whose size is usually only several kilobytes. (Although this command wraps here, youd
These tiny fifiles transfer from disk to disk, Legal, Free, Centrally Deployable enter it all on one line.) The /S parameter
so theyre constantly saved and deleted. Antivirus Solution forces the installer to perform a silent install.
Because theyre volatile (i.e., not permanently Small businesses can use Microsoft Security The /runwgacheck parameter forces the
stored), data security, reliability, and the Essentials (MSE) on up to 10 PCs for free. installer to perform a Windows Genuine
ability to self-heal arent primary concerns. Companies that dont want to use some of Advantage check. The /o switch tells the
The main concern is performance: You must their antivirus solution licenses for the PCs in installer not to perform a full scan of the PC at
distribute the files as quickly as possible. their small test labs can also use this the end of the installation. If you want
In an IP TV project in which I took part, free software. Manually install- it to perform the full scan, you can
hard disk performance had created a ing MSE on each PC is a viable om
omit the /o switch.
bottleneck. Although we used speedy Serial option in a small environ- After a few minutes, MSE
Attached SCSI (SAS) disks, the hard disk per- ment, but if youve already set w
will be installed on the remote
formance degraded over time and eventually up a domain, you can install it P
PC. Typically, you have nothing
crashed the application. When we observed with minimal effort.
ff el
else to do because the software
the hard disk performance in Performance 1. Download the appropri- pe
performs automatic updatesbut
Monitor, the Avg. Disk Queue Length counter ate copy of MSE from www in a few cases, I found that
was constantly over 2, which meant the hard als. Apostolos Fotakelis a restart was required.
disk couldnt cope with the requests. To solve 2. Right-click the executable and After you install MSE on
this problem, I made two suggestions: extract the files. If you dont have file compres- the rest of your computers, youll have a legal,
Cancel the RAID configuration. There sion software, you can use the free 7-Zip utility free, and effffective antivirus solution. Keep in
was a RAID 10 configuration on the disks. ( mind that this procedure isnt supported by
Microsoft and might change in future MSE
Tell the IT community about the free tools you use, your solutions to problems, editions. Also keep in mind that you wont
or the discoveries you've made. Email your contributions to
have a dashboard with which to centrally
If we print your submission, youll get $100.
monitor and confi figure MSE.
Submissions and listings are available online at Apostolos Fotakelis, computer security engineer
Enter the InstantDoc ID in the InstantDoc ID search box.
InstantDoc ID 140110

16 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Virtual Appliances Activation Actions
Windows Authorization

Q: How can I let non-

ANSWERS TO YOUR QUESTIONS administrators perform
activation actions on a client?
A: To let non-admin users perform
activation actions such as changing
be a security principal, such as a user, Multiple Activation or Key Manage-
computer, or application. The object can ment Service keys, performing a
be file
fi resources hosted on a file server, re-arm, or installing a license, do the
printer queues on a print server, Active following on the client:
Directory (AD) objects in the AD data- 1. Start the registry editor
base on a Domain Controller (DC), or any (regedit.exe).
other object thats kept in a Windows IT 2. Move to HKEY_LOCAL_
infrastructure. Authorization between the MACHINE\SOFTWARE\Microsoft\
subject and the object is governed and Windows NT\CurrentVersion\
enforced by a third entity that is referred SoftwareProtectionPlatform.
Q: Whats VMware re vShie
vShield? to as the reference monitor. In Windows 3. If the DWORD value UserOpera-
OSs, this third entity is called the Security tions doesnt exist, create it.
A: VMware
ware vShield is a collection o
of Reference Monitor (SRM). The SRM is the 4. Double-click UserOperations
virtual appliances built for the VMware
VMwar authorization authority on a Windows box. and set it to 1. Click OK.
vSphereere platform. Its virtual appliance
appliances It is a process that runs in the highly privi- 5. Close the registry editor and
ide security services for vSphere
provide leged OS kernel mode and that checks all reboot the client.
VMs, supporting activities such as fi rew
firewall access to resources located on a Windows John Savill
ection and anti-malware. They can
protection system. InstantDoc ID 139919
also provide network edge and gateway Windows Authorization and the SRM
services,s, including DHCP, VPN, NAT, p port deal with access to visible Windows
on, and load balancing.
translation, objects, such as fifiles, printers, registry keys, Impersonation means that a process
Depending g on which youve
youv licensed, and AD objects, and with access to less acts on behalf of a user.
a vShield installation can have up to four visible objects, such as system processes The access token contains a users
ff packages: vShield Zones, vShield and threads. Authorization also controls access control data such as group
Edge, vShield App, and vShield Endpoint. the ability to perform system-related memberships and user rights.
A fifth package, vShield Manager, man- tasks, such as changing the system time or The access mask tells the SRM what the
ages the services of each. shutting down the system. Microsoft calls process wants to do with the resource
Greg Shields these system-related tasks user rights. (for example, reading a file or writing to
InstantDoc ID 139896 Under the hood, the Windows authori- a file). At the end of the authorization
zation model is based on the key concepts decision making process, the SRM
Q: In the Windows authorization of access tokens, access masks, security returns another access mask, called
process, what do the terms access descriptors, and impersonation. Figure 2 the granted access mask to inform
token, security descriptor, and shows how these concepts are brought the process of what it can do with the
impersonation mean, and whats together. resource.
the relationship between these In the figure, notice how, upon every The security descriptor of an object tells
concepts? object access, the SRM checks the access the SRM who can do what with this
token and the access mask against an particular object.
A: Windows authorization always objects security descriptor. The access
deals with two entities, which Figure 1 token and access mask are both linked to a In the Windows authorization model, a
shows: a subject and an object that the process that impersonates a user. Heres a user never accesses a resource directly
subject wants to access. A subject can closer look at the terms involved: theres always a server process that acts on
behalf of a user. This process is known in
Jan De Clercq | Windows terminology as impersonation.
John Savill | When a process impersonates a user, it
Greg Shields |
means that it runs in the security context

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 17

referred to as a permission. An ACE links
a security identity (SID) to an access right
(for example, read, write, delete, execute).
Typical examples of permissions are Joe
can read the monthly expense claim
report, or Alice can print on the human
resource department printer. In a security
descriptor, an access right is represented
using a hexadecimal value called the
Figure 1: A subject
b and
d an object
b that
h the
h subject
b wants to access access mask.
Every security descriptor contains two
types of ACLs. They're called discretionary
ACLs and system ACLs.
Discretionary ACLs (DACLs) contain ACEs
that are set by the owner of an object.
They are called discretionary because
their content is set at the object owners
discretion. Ownership is a key concept in
the Windows security model. Its a very
powerful concept because the owner
of an object is always granted the right
to manage the objects permissions. By
default, the object owner is the Windows
user account that created the object. In
the case in which a domain administrator
or a member of the local administrators
group creates an object, by default
the Domain Admins or Administrators
Figure 2: Access tokens, access masks, security descriptors, and impersonation groups become the object owner. To
look at an objects discretionary ACLs
of the user and that it uses the users The main authorization attribute on from the Windows GUI, you typically use
authorization attributes. the object side is called a security descrip- the ACL editor, which you can access
To allow Windows to associate a tor. A security descriptor tells the authori- from the Security tab in an objects
users authorization data (the users zation system who can do what with the properties. To look at the DACLs of a
rights and group memberships) with object. Every object that has a security file system object from the command
every process thats started by the user, descriptor linked to it is called a securable prompt, you can use the cacls tool.
Windows uses an object called the access object. Securable objects can be shared System ACLs (SACLs) contain an
token. Access tokens are linked to a between different
ff users, and every user objects auditing settings and are
users logon session. Theyre generated can have different
ff authorization settings. set by an administrator. Theyre non-
on every machine that the user logs Examples of securable objects include a discretionarytheyre not related in any
on to. An access token is always local file, a folder, a file system share, a printer, way to the owner of an object. To look at
to a machine and never travels across a registry key, an AD object, and a service. an objects SACL from the Windows GUI,
the network. The OS component that The security descriptor of a file system you use the ACL editor.
generates access tokens is the Local object is stored in the NTFS fi file system.
Security Authority (LSA). Besides the The security descriptor of an AD object is In addition to the DACLs and SACLs, an
users domain authorization data (stored stored in the objects nTSecurityDescriptor objects security descriptor also contains
in AD), an access token also contains the attribute. Note that the nTSecurityDescrip- two other fi
fields. They are as follows:
users local authorization data. The latter tor attribute is also replicated to the Global The Owner SID field, which holds the SID
is the authorization data that are stored Catalog, which ensures that access to AD of the owner of the object.
in a systems local security database (the objects will be secured even if the object is The Primary group SID field, which
SAM): they include a users local group replicated outside its domain boundary to holds the SID of the object owners
memberships and local user rights. To GCs in other domains. primary group that is used for Posix and
look at the content of your Windows Every objects security descriptor con- Macintosh access control management
access token (including group member- tains a set of Access Control Lists (ACLs). compatibility.
ships and user rights), you can use the An ACL is composed of multiple Access Jan De Clercq
whoami tool with the /all switch. Control Entries (ACEs)an ACE is also InstantDoc ID 139906

18 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Protect Against
n th
he pa
pastst 2 yea
uriity ccompani
r , weevve he
es, defense in
d a lot about significant attacks against cloud service providerrs,
ndustry manufacturers, and national research laboratories. The Learn best
ck ag
he on
ainst th
ns these particulaar companies might have gone largely unnoticed in the noise of
sllaught of attacks again nst companies of all sizes and in all industry sectors, except for
practices to
onee thingthe unique nature of the attacks and the term used to describe them: the Advanced
on defend your
Persistent Threat (APT). McA Afee recently release a paper that indicates that some of these
attacks might be related and that theeyve been ongoing as part of a larger operation for some time. organization
McAfee dubbed the attacks Operatio on Shady RAT (Remote Access Toolfor more details, see the
McAfee white paper at
Theres a lot of confusion about what A APT means, as well as whether every company connected to the by John Howie
IInternet needsd to b be concerned d about
APT. L Lets
k ad detailed
il d llookk at what
h APT really
ll means and d
what you can do to defend yourself against APT attacks.

Origin and Meaning

The source of the term APT is debatable, but many people believe it was first publicly used in 2006,
by the US Air Force, to conduct briefings with people who didnt have a security clearance. The term
was intended to be used as an unclassified code word for both the source and style of attacks against
US interests. The term wasnt chosen lightly, and each word has specific, relevant meaning.
AdvancedThe source of the attack is a well-funded, well-resourced entity with sufficient
computing power and educated personnel at its disposal able to conduct the attack. The
individuals behind the attack are usually highly skilled and trained in the art of computer
intrusion; they arent your typical script kiddies.
PersistentThe source of the attack is patient, has a particular goal in mind, and is willing to
spend considerable effort in achieving that goal. If one avenue of attack is unsuccessful, another
avenue will be attempted. Unlike conventional attacks, the target is carefully selected and the
attack might go on for months or even longer until the goal is achieved.
ThreatThe source of the attack is a recognized threat to US interests. The attacker is a nation-
state backed group of individuals either working for or under the direction of a foreign nation.
The term is believed to have first been used to describe attackers at universities and military
schools in the Peoples Republic of China (PRC).

Since the term APT was introduced, it has been used to describe many attacks that have surfaced
in the press, including attacks that arent truly characteristic of the original meaning of APT. In fact, the
term APT has devolved largely through misuse to the point that the threatt component of the term can be
applied to any adversary who is a threat to the victims interests. This is a source of confusion to many.

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 19

Unfortunately, the term APT is now creep- evidence in its investigation. Its suspected RSA had to go to great expense to assure its
ing into marketing literature, as companies that some of Googles employees were customers that their use of the companys
try to sell products and services through friended using a popular IM product. The product was safe (and for customers who
scare tactics. Even worse, the marketing lit- APT friending the victims had conducted follow RSAs published guidelines, its very
erature often refers to existing products and extensive research about them, using safe). RSA issued replacement two-factor
services that offer no new features designed search tools, their pages on social media authentication hardware tokens to cus-
specifically to defeat an APT. websites, blog entries, and so on. The tomers upon request, even if not truly
wealth of information posted by the victims required. Using the information obtained
Unique Characteristics of helped identify them as targets, and it gave in this attack, the APT has since gone on
APT Attacks the APT a detailed profile of victims so the to attack defense contractors who used the
The meaning behind the term APT pro- APT could pretend to have similar interests manufacturers two-factor authentication
vides insight into why APT attacks are or even to be someone the victim met, went system, such as Lockheed Martin. The
unique. In addition to being incredibly to school with, or worked with in the past. APT has successfully compromised other
well-resourced, directed at a specific tar- After the victims were ensnared, the APT companies systems and networks, fueling
get, and carried out in a patient manner, sent them links to websites under the APTs speculation that the initial attack against
APT attacks are conducted very differently control; these sites contained malware that RSA was simply a means to an end.
from the average hacker or cybercriminal was downloaded to the victims machines Although not every organization will
attack. and exploited an Internet Explorer (IE) 6.0 become a target for an APT, the real con-
Most hackers probe systems and net- zero-day vulnerability. After the victims cern among security professionals is that
works, looking for weaknesses; upon find- machines were under the APTs control, the tools and techniques employed by
ing a vulnerability, they try to exploit it. the APT installed spyware designed to APTs will eventually make their way into
Typically, the end goal is to access data capture keystrokes as the victims logged the hands of cybercriminals and other
such as credit card information, user- on to their employers systems and net- hackers. If this happens, very sophisticated
names and passwords, or other personal works. With credentials granting access to attacks will be carried out against any
data that can be marketed and sold in Googles internal infrastructure, the APT organization that has something of value to
the underground cybercrime economy. probed for weaknesses in line-of-business the attackerwhether credit card or other
Hackers also attempt to crack applica- (LOB) applications and other software, financial information, trade secrets, and
tions using techniques such as SQL injec- attempting to elevate the level of access. so on. Attacks might also be carried out
tion (SQLi) to obtain access to databases At each point, the APT installed more as a form of cyber-activism, also known as
behind web applications. Another com- malware or configured the compromised hacktivism.
mon attack might involve cross-site script- systems to act as launch points for further
ing (XSS), which can be used to run attackswhich is often called pivoting. Defending Against APT-Style
malicious JavaScript applications in your Eventually, the APT compromised the core Attacks
browser or gain access to cookies or other systems it was targeting and was able to Commonalities exist in the APT attacks
data that might include usernames and access the desired datawhich in this case that I discussed in the previous section.
passwords, without you being aware of included the mailboxes of dissidents and First, the attacks began with the selection
whats going on. After attackers obtain human rights activists who were crucial of specific targets who were friended and
data, they typically end the attack, some- to the regime on whose behalf the APT sent instant messages with URLs to mali-
times after installing software that allows was working. Data collected in the attack cious websites or who received emails with
them future access to data. was exfiltrated from Google via a server attachments containing malware. The APT
An APT can use any of these individual under the APTs control at another service compromised victims machines by exploit-
attacks but more likely will use all of these provider. ing vulnerabilities in older and unpatched
attacks together, in combination with other In another recent attack, the victim was software. In the case of the Aurora attack,
attackssuch as spear-phishing, in which RSA, the manufacturer of popular two- its also likely that one or more of the vic-
individuals are targeted and tricked into factor authentication systems. The APT tims logged on using elevated privileges,
running malicious software or revealing targeted RSA employees with an email providing the APT with credentials that
their credentials to sensitive systems. that contained an Excel attachment, with afforded more access than an ordinary user
To fully understand how an APT works, embedded content that exploited a vulner- would have.
its useful to study a well-documented ability in a third-party media software pack- The lessons learned from these attacks
attackand there are several we could age (there was no vulnerability in Excel). show that social engineering plays a big
discuss. Google, a major provider of cloud When the victims opened the attachment, part in the initial phases, with attackers
services, publicly disclosed its 2010 attack, their machines were compromised and studying their potential victims carefully
dubbed Operation Aurora by McAfee, and the APT proceeded to install spyware, log and identifying whom to target. Organiza-
worked closely with customers and other on to other systems, and pivot to other tions can reduce the likelihood that their
companies that it believed might also systems on the network until the target employees will be targeted by creating
have been compromised, as it discovered was reached. As a direct consequence, and enforcing a social media policy that

20 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

prohibits employees from discussing their Every organization should have a secu- Flash, as well as Oracles Java, come with
employer or providing details about their rity education and awareness function an updater or feature to regularly check for
job on sites such as Facebook or in non- in place to teach employees the basics of updates. Make sure the updater is config-
company blogs. The less information that information security, the organizations ured to run.
an attacker has about potential victims, policies, how to detect and report suspi- You should run 64-bit versions of OSs
the less successful social engineering will cious emails and websites, and what to do and applications if possible, because most
be against those victims. Organizations when employees suspect that something malware is still 32-bit software and often
can also prohibit the use of company- is wrong. Small organizations wont have wont execute as intended on 64-bit sys-
owned computers to visit social media the resources to create and run such a tems, if at all. In addition, 64-bit software
websites or to run unsanctioned IM prod- program or develop their own training typically takes advantage of features to help
ucts. Although this approach might be very materials. For such organizations, I recom- protect and defend against malwarethese
unpopular among employees, many would mend resources such as ENISAs Awareness features arent available in 32-bit software
probably be content to visit social media Raising program (, SANS (e.g., signed drivers that prevent malware
websites and conduct IM chats from their (, the National Institute of from easily loading itself into the Windows
smartphones and tablets instead. Use of Standards and Technologys (NISTs) Com- kernel). Later versions of Windows (i.e.,
a proxy server or egress filter on a firewall puter Security Resource Center (csrc.nist Windows Server 2008, Windows Vista and
makes it trivially easy to technically imple- .gov), and Microsofts security awareness later) support Address Space Layout Ran-
ment such a policy for users connected materials ( domization (ASLR), which helps prevent
to a corporate network. For remote and security/cc165442). malware from exploiting a vulnerability that
mobile users, technologies such as Micro- If an attacker successfully sends an resides at known memory locations. Data
soft DirectAccess can be used to route all email with a malicious attachment or tricks execution prevention (DEPintroduced
traffic through the corporate network and a victim into visiting a malicious website, in Windows Server 2003 and Windows XP)
out through approved proxy servers and the malware used will likely try to exploit a can prevent certain vulnerabilities that
firewalls where policy can be implemented exploit heap and stack overflows, such as
and enforced.
The next step organizations of all sizes
Every organization buffer overruns. Windows 7 and Office
2010 both have 64-bit versions available.
can take to reduce the likelihood that should have a You should also consider instituting a
theyll suffer a successful APT-style attack is policy that prohibits the installation and
to employ malware filters on email systems security education use of non-approved software in your orga-
and proxy servers and to configure corpo- nization, and you should regularly audit
rate IM systems to prohibit the delivery of and awareness systems to make sure the policy is being
messages with URLs in them. An example followed. Non-approved software is often
of an email filter is Microsoft Forefront function in place. not updated by end users and might con-
Online Protection for Exchange (FOPE), tain vulnerabilities that can be exploited.
which scans email messages before theyre vulnerability in popular software for which Products such as Microsoft System Center
delivered to your on-premises or cloud- an update already exists. In the case of the Configuration Manager (SCCM) can collect
based email system and catches malicious Aurora attack, the zero-day exploit used information about installed applications on
attachments and other undesirable con- was present in IE 6.0 but not in later ver- end users systems. Increasingly, attackers
tent such as spam and phishing emails. sions of IE. use several different types of malware, hop-
In addition to being a more than capable Be sure to regularly update all the ing to find one vulnerable piece of software.
firewall, Microsoft Forefront Threat Man- software used in your organization and to In addition, the software packages that are
agement Gateway (TMG) 2010 can be use the latest versions whenever possible. typically targeted are vulnerable versions
used to protect employees from malicious Microsoft Update can be configured to of popular programs that often have no
websites by blocking access to known check frequently for, as well as download business usesuch as consumer-oriented
malicious sites and by inspecting web and install, updates for all supported ver- IM products, video calling software, and so
content for malware. IE 9.0 also con- sions of Windows, servers such as Micro- on. One way to prevent users from install-
tains a feature called SmartScreen, which soft SQL Server or Exchange Server, and ing non-approved software is to remove
anonymously checks the URLs of websites applications such as Microsoft Office and their administrator-level rights. Most mod-
against a centralized list of known bad Silverlight. You can also use a centralized ern application commercial off-the-shelf
websites and warns users if they attempt system such as Windows Server Update (COTS) software no longer requires the
to visit one. SmartScreen also inspects the Services (WSUS) 3.0 SP2, which is free and user to run it as a local administrator.
content on a visited web page, looking for can be used to run reports to catch sys- Moreover, newer software is typically more
characteristics of malware and other mali- tems that arent updating. For third-party secure and has fewer vulnerabilities than
cious content. Making IE 9.0 the default applications, make sure you understand older versions.
web browser in your organization will help how to check for updates and apply them. In the event that an attacker can com-
protect you. Many, such as Adobe Acrobat Reader and promise your employees systems, install

22 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

spyware, and gain credentials, you can and Microsoft Security Essentials. Security Service (RADIUS) server to your WLAN
minimize the impact by ensuring that users Essentials is free for small businesses with Access Points (APs) or wireless controller
dont have administrative-level access to up to 10 PCs. Even if an antivirus product and authenticate users against their AD-
their computers. You should also imple- doesnt initially detect malware used in an based username and password. You can
ment a policy through Group Policy, or a attack, it will most likely detect it sometime also set policies that restrict when and
similar mechanism, that forces users to later, as the vendor updates the signatures where users can connect to the WLAN,
change their passwords regularly. Another and detection capabilities to include new including who can connect to the WLAN.
best practice is to follow the principle of malware. Upon detecting malware, you can If you allow guest access to your WLAN for
least privilege and to use security mecha- then investigate what the malware is and vendors, contractors, and business guests,
nisms such as discretionary ACLs (DACLs) whether your systems and networks have such as partners and customers, I recom-
to restrict access on a need-to-know basis been compromised. mend that you create a guest WLAN thats
to folders and files, shares, websites, and Next, consider a technique called secure isolated from your corporate network.
other locations that might contain sensi- network segmentation. Many corporate Most modern WLAN APs and controllers
tive data. Database servers such as SQL networks are flat, and a user on one part let you create guest WLANs with a unique
Server can be configured to restrict access of the network can see a system anywhere SSID, logically separated from your corpo-
to databases, tables, and columns to only else on the network, even if the user cant rate network, that you can connect directly
those users who have a need to access authenticate to it or isnt authorized to to your firewall and the Internet. Although
the data, and database encryption can be access it. By segmenting your network, you WLANs havent figured prominently in
used to further enhance the protection of restrict network-level access through the recent descriptions of APT attacks, theyre
sensitive data. use of firewalls, routers, and other Layer still an easy way into many corporate
Employees who need elevated access 3 (L3) devices so that if an attacker pen- networks and can provide access from the
to systems and networks, such as sys- etrates one part of your network, he or she parking lot outside your office to a distance
tems administrators, should have separate is still hampered in reaching the actual tar- of several hundred feet, in certain circum-
credentials that they use when perform- get. Segmentation works best if you identify stances and with the right equipment.
ing duties that require elevated access your most sensitive environments and
and they shouldnt browse the web, read restrict access to them. In extreme cases, Use Protection
email, use IM, or use any other type of Not every organization will be a target
software that isnt required to perform
their duties when logged on with their
You should for an APT, but the methods and tools
used by an APT in the hands of cyber-
elevated credentials. When logging on
to desktop and laptop systems, systems
implement a policy criminals or hacktivists pose signifi-
cant problems for every organization.
administrators should use accounts that that forces users An organization that keeps its systems
are members of the local Administrators and networks up-to-date with the lat-
group but that arent members of the AD to change their est versions and updates, uses antivirus
administrators groupsthese include the software, practices the principle of least
local Administrators group on domain passwords regularly. privilege, adopts meaningful policies,
controllers (DCs), as well as the groups and educates its employees will likely be
Schema Admins, Enterprise Admins, and you might consider logically separating a able to withstand, slow down, or detect
Domain Admins. Ideally, a unique local production network that runs servers and most attacks. Although there are plenty
administrator account with a unique pass- POS or other transaction systems from your of other methods that a true APT can
word will exist for each desktop or laptop corporate network by creating a separate use to initially compromise your systems
system, but this can be difficult to manage forest and issuing credentials to only those and networks, these approaches typically
without third-party software. users who need access to the production require more costly and difficult attacks.
TMG can be configured to deny network. The one method I didnt discuss is egress
accounts with elevated access the ability to Lastly, if you have a wireless LAN traffic monitoringbecause even though
browse external websites, use IM software, (WLAN), I strongly urge you to consider some security experts recommend it, only
and so on. Its also possible to use Software configuring it with enterprise-class Wi-Fi the most sophisticated organizations can
Restriction Policies (SRP) in Windows to Protected Access 2 (WPA2). This means actually implement this technique.
prevent users logged on with elevated cre- using Extensible Authentication Protocol InstantDoc ID 140024
dentials from running software such as IE, Transport Layer Security (EAP-TLS) and
Microsoft Lync, or Outlook. configuring it so that every user logs on John Howie
Another step that you can take to defend with a unique certificate or set of creden- ( is a senior
yourself against attacks is to install a com- tials. If you run Active Directory (AD), director in the Online Services
Security & Compliance team at
mercial antivirus product. There are many you can configure the Network Policy Microsoft, where he manages cloud
such products on the market today, includ- Server (NPS) role in Server 2008 to act security.
ing Microsoft Forefront Endpoint Protection as a Remote Authentication Dial-In User

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 23


ll Windows OSs
OSs use RDDPP forr rem
connectivity. As a grer at
aterr per
age of users have ve bbeeco
c mee mob obiille,,
the devices used to con nnec
e t to o rem
emot otee
workspaces have becom omee m mo ore di divveers
r e
and users' expectations for a rich
rich,, hi
gh -fid
e it
completely remote experience have increased sed. T Too ke
k ep pac ace
with the increased importance of a rich remote exp exper errie
nc e, n
RDP has evolved by leaps and bounds in the past few gene enerarati
i ns. s
RDP 7.0, which was released as part of Windows Server 2008 8 R2 anand Wi
W nd
ws 7,,
has an awesome feature set, including the following:
Full 32-bit color support using an enhanced codec that uses less bandwidth than whe
24-bit color
ng The final piece
True multi-monitor support with each display treated as a distinct display area to a rich RDP
Bidirectional audio redirection that enables a great audio experience, including VoIP-type
applications experience
RDS Easy Print, which allows driverless printing to remote Server 2008 R2, Server 2008, or
Windows 7 desktops
Aero Glass remoting, which provides the Aero Glass experience for remote sessions as long as the by John Savill
local client supports Aero Glass; includes not only the Aero theme but also the 3D animations
and desktop composition features, such as Flip 3D and live taskbar preview
Windows Media Player remoting, which enables smooth media playback by sending the media
primitives (raw data) to the client for playback, provided the local client has this capability

For the Aero Glass experience and rich multimedia playback, RDP uses remoting and essentially
redirects the desktop composition and graphics/audio rendering from the remote session to the local
client, taking advantage of the local clients capabilities and resources to provide a great experience.
For example, instead of a Windows Media Video (WMV) file being rendered on the remote server
and the bitmap screen updates being sent over UDP for display on the local client, with Windows
Media Player remoting, the data contained in the WMV file (the primitive) is sent over RDP to the
local client. The local client then performs the decoding and rendering of the WMV file, saving a lot of
bandwidth and providing very smooth playback because we arent sending a huge amount of screen
updates over the network. This means when I connect to my remote session from a rich client, such
as a Windows 7 desktop, I get a pseudo-local experience, with full graphics fidelity. However, if I con-
nect from a more basic client that doesnt have Aero support or multimedia redirection, I dont get
any of the Aero experience. In addition, media playback isnt as smooth because its rendered on the
remote desktop, giving a far more basic experience and likely the dreaded jagged playback. This is true
when connecting to a session-based solution, such as a Remote Desktop (RD) Session Host server,

26 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

or a virtualized client OS solution, such as thin client; the experience and graphics Flash, Silverlight, and pretty much any
a Windows 7 Virtual Desktop Infrastructure fidelity will be the same because all the other content. The only limitation youre
(VDI) environment. RemoteFX solves this graphics processing can be done server- likely to encounter regarding DirectX is the
inconsistency by giving a consistent end- side. The only requirement is that the end amount of graphics memory thats visible
user experience regardless of the capabili- client must support RDP 7.1, which was to the VM, which is based purely on the
ties of the end client. introduced in Windows 7 SP1 and includes resolution and number of displays you
RemoteFX support. configure the VM withwhich I cover later
What Is RemoteFX? After a client VM is RemoteFX enabled in the article.
RemoteFX was introduced in Server 2008 R2 and is connected to from a RemoteFX- A question that often comes up is
SP1 and actually consists of three technolo- capable client, it will appear as if the VM whether multimedia redirection is still
gies that are aimed at VDI environments actually has a GPU and an amount of performed with RemoteFX. The answer is
running Hyper-V 2008 R2 SP1enabled graphics memory based on the RemoteFX that multimedia redirection is still used if
servers, with Windows 7 SP1 running as configuration for the VM. Running DxDiag you have a rich client that has multimedia
the client OS in the virtual machines (VMs). on the client will show the presence of a rendering capabilities. If you can leverage
The great news is that RemoteFX is avail- Windows Display Driver Model (WDDM) local processing capabilities and reduce
able in both Server 2008 R2 SP1 and the graphics driver and the Microsoft RemoteFX the servers processing load, you should
free Microsoft Hyper-V Server 2008 R2 Graphics Device along with support for do so; however, the key point is youll get
SP1 server OS. This free OS is commonly DirectDraw, Direct3D, and AGP texture the same experience regardless of whether
used in VDI implementations because you acceleration, as Figure 1 shows. The initial your client supports multimedia redirec-
dont need the server virtual guest rights RemoteFX release supports DirectX 9.0c. tionbut the rendering will be performed
that exist in the Enterprise and Datacenter DirectX support in the virtualized on the server rather than the client.
editions if youre running a client OSonly OS is very important. Many applications Another common question is whether
virtualized environment. and services leverage DirectX, such as OpenGL is supported. OpenGL is still
RemoteFX actually evolved from Silverlight, Internet Explorer (IE) 9.0, and used by certain applications. Although
technologies first created by Calista even Microsoft PowerPoint 2010. With the RemoteFX does support OpenGL, support
Technologies and acquired by Microsoft availability of DirectX in remote environ- is limited to OpenGL 1.1, which is provided
in 2008. These technologies focused on ments, most of the previous restrictions out of the box in Windows. This version is
providing a richer thin-client experience regarding the type of applications that can quite old. Of course, wed love to see more
and are now part of the core Windows be run are eliminated. In addition, applica- up-to-date OpenGL support in a future ver-
platform. tions now run with full fluidity; because all sion of RemoteFX.
Virtualized GPU. RemoteFX consists of the rendering is performed server-side, the Because the GPU is virtualized, we dont
three technologies, one of which provides client youre using has no relation to what need a discrete GPU for every VM that will
the ability to virtualize the graphics pro- you can do. For example, you can be on a be RemoteFX enabled. Just like CPU vir-
cessing unit (GPU) in the server and make basic client that supports RemoteFX, and tualization, in which a single logical CPU
these virtual GPUs available to the VMs in that remote session you can be running (such as a core) can be mapped to many
running on the Hyper-V server. The virtual
GPU allocated to the VM can be leveraged
by the Windows 7 SP1 guest OSs running
in those VMs. Windows 7 SP1 includes
updated integration services, which lets
guest OSs see the virtualized GPU and use
it without additional software installation.
This means the virtual Windows 7 SP1
guest now sees a full-featured GPU, which
allows advanced graphics to be rendered
server-side. The screen output is then
sent to the RDP client for display, includ-
ing server-side rendering of Aero effects,
multimedia, and other types of media and
applications not previously possible, such
as Adobe Flash and Microsoft Silverlight
and DirectX applications. Because all the
rendering is performed on the Hyper-V
server within the VM, the actual client
capability no longer matters. You can
connect from a full, rich client or a basic Figure 1: Running DxDiag from within a RemoteFX-enabled Windows 7 SP1 VM

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 27

virtual CPUs, a GPU can be virtualized to redirected. However, these devices are all device redirection can be used in both LAN
as many as 12 virtual GPUs, allowing great redirected by abstracting the device into and WAN environments.
scalability. One key consideration when we one of the supported high-level RDP redi- Next, consider RemoteFX USB redirec-
virtualize the GPU is the amount of graph- rection device types. This means we can tion in which youre redirecting at the USB
ics memory each VM will need. You cant access these devices on the remote session port level to the remote session. Because
overcommit GPU memory; therefore, to without needing any drivers on the remote the port is being redirected, no device- or
achieve the 12:1 ratio, you need to ensure OS installed, but it also means we might load-specific optimizations can be made.
that the graphics card has sufficient video miss device-specific functionality. In addi- In addition, the device driver must be
RAM for all the VMs. tion, many types of USB devices cant be installed in the remote session because
Server-side rendering of advanced redirected if they dont fall into these high- on the remote session it will look as if the
graphics content is great, but it also means level types, such as multi-function printers, device has been plugged in to a virtual
that more screen update data will need to advanced communication devices, scan- USB port, so it needs the driver to use the
be sent over the network to the client for ners, barcode readers, USB foam missile device. Also, because were redirecting at
displayespecially with all the additional rocket firing devices, and many more. the port level, only one session can access
graphics-intensive applications that are RemoteFXs USB redirection solves this a device at a time, including the local client.
supported. To ensure a good client experi- problem by actually redirecting at the USB Therefore, if you redirect a device using
ence, RemoteFX is supported only for LAN port level in a similar way to how RDP RemoteFX USB redirection from your local
connections in the initial SP1 release. This handles redirection of serial and parallel client, no other session can see the device,
ensures enough bandwidth and low laten- ports. With RemoteFX USB redirection, nor can your local client. (So, make sure
cies. If you select any connection speed the actual USB request blocks (URBs) are you dont try to RemoteFX USB redirect
less than LAN (10Mbps or faster) on the intercepted from the client and sent to your keyboard!) RemoteFX USB redirection
Experience tab of the Remote Desktop the remote session. Thus, basically any is also optimized for LAN environments
Connection client, then RemoteFX will be and cant be used on WAN connections.
disabled. Figure 2 shows several devices that I can
New codec. Even if you ensure that RemoteFX is use RemoteFXs USB redirection capability
RemoteFX is used only on LAN connec- to redirect. I couldnt have used standard
tions, youll still experience a lot of screen supported only for RDP to redirect all these devices. This pow-
updates and therefore bandwidth usage.
The second part of the RemoteFX tech-
LAN connections erful feature means I can have pretty much
any USB device available in my remote ses-
nology package is a new codec that was
designed to efficiently encode and decode
in the initial SP1 sions after I install the driver. Combined with
high-level RDP redirection, RemoteFX USB
the display updates associated with the release. redirection provides a great experience.
more intensive RemoteFX-enabled work- By default, RemoteFX USB redi-
loads. This is the only part of RemoteFX type of USB device can be redirected using rection is disabled on clients. You can
thats available to RD Session Hosts, for- the RemoteFX USB redirection feature; enable it through a local policy or through
merly known as Terminal Servers. A Server however, this doesnt mean you shouldnt Group Policy. Navigate to \Computer
2008 R2 SP1 RD Session Host can take continue to use RDP high-level device redi- Configuration\Administrative Templates\
advantage of the new RemoteFX codec for rection for supported devices. RemoteFX Windows Components\Remote Desktop
encoding of the screen updates. Separate USB redirection is designed to supplement Services\Remote Desktop Connection
hardware encoder modules are available RDP high-level device redirection to add Client\RemoteFX USB Device Redirection,
for offloading of the encoding work. support for devices that dont work with and set the Allow RDP redirection of other
Enhanced USB redirection. The the standard RDP. supported RemoteFX USB devices from this
final piece of the RemoteFX technology, For RDP high-level supported device computerr option to Enabled. Next, select
enhanced USB redirection, is often over- redirection, such as input (keyboard/ the option to indicate who has RemoteFX
looked. However, this feature truly com- mouse), audio, drive, smart card, port, USB redirection rightseither adminis-
pletes the ability to have a full-featured printer (RDS Easy Print), and Plug and Play trators only or administrators and users.
remote desktop experience by enabling (PnP), optimized protocols are used for Finally, click OK and close Group Policy
the redirection of basically any USB device each of the redirection types to minimize Editor (GPE). After the policy change takes
from the local client to the remote session. bandwidth usage and to ensure the best effect, the option to redirect RemoteFX
Prior to the RemoteFX USB redirection responsiveness and optimal experience for USB devices will be available in the Remote
feature, there were advancements in the that type of device. In addition, RDP high- Desktop Connection client.
type of devices that could be redirected level device redirection doesnt require Although RemoteFX USB redirection
to a remote sessionfor example, key- extra drivers in the remote session, and doesnt use any GPU resources, its closely
board, mouse, microphone, smart card, multiple remote sessions can access the tied to the RemoteFX experience and cant
disk, imaging devices with Inbox-type same local device simultaneously. Because be used with RD Session Hosts or a non-
functionality, and a few others that can be of these optimizations, RDP high-level RemoteFXenabled Windows 7 SP1 VDI

28 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

all the requirements. RemoteFX is part of
the Remote Desktop Services role, so to
enable RemoteFX we use Server Manager
and enable the RemoteFX role service,
which is a component of the Remote
Desktop Virtualization Host role service,
as Figure 3 shows. You need to reboot to
complete the installation. If youre running
the free Hyper-V server, you can use the
following PowerShell commands to enable

Import-Module ServerManager
add-windowsfeature -name RDS-RemoteFX

After RemoteFX is installed on the

server, you need to enable a VM for the
technology. To do this, use Hyper-V
Manager to view the VM settings. Under
Add Hardware, select the option to add a
Figure 2: RemoteFX exposes your USB devices as candidates for redirection to a remote session RemoteFX 3D Video Adapter and select
the maximum number of monitors and
VM. If you want RemoteFX USB redirection, the maximum resolution. These settings
you need GPUs in your Hyper-V servers and both DirectX 9.0c and DirectX 10.0 and are used to calculate how much video RAM
must enable your VMs for RemoteFX. have dedicated video memory. In addi- should be assigned to the VM, as Figure 4
tion, if you have more than one GPU in a shows. The more monitors you assign to a
RemoteFX Requirements and Usage Hyper-V server, the GPUs must be identi- VM, the lower the maximum resolution.
This all sounds great; we have a consistent Table 1 shows the combinations possible
high-fidelity graphics experience regard-
less of the client resources, the ability
You can enable for number of monitors and resolution, as
well as the amount of video RAM assigned.
to run advanced graphics applications RemoteFX USB For more information about performance
using server-side rendering, efficient use counters related to RemoteFX, see my
of bandwidth, and redirection of any USB redirection through FAQs Exactly how much GPU memory is
device to the remote session. So how do allocated to a virtual machine (VM) based
we actually obtain access to RemoteFX
a local policy or on the number of monitors and resolution
First, you need to know which versions
Group Policy. set? (, InstantDoc
ID 130049) and Are there any performance
of Server 2008 R2 SP1 support RemoteFX. cal. The amount of memory required will counters to monitor the performance of
Server 2008 R2 SP1 Standard, Enterprise, vary depending on the number of VMs you RemoteFX? (,
and Datacenter full installations all support plan to RemoteFX enable. InstantDoc ID 130048).
RemoteFX, in addition to the Server Core Enabling RemoteFX on a Hyper-V server Note that you dont have to use all
based free Hyper-V Server 2008 R2 SP1. is very simple as long as the server meets the monitors configured for a VM or the
Server Core installations of Server 2008 R2
SP1 dont include RemoteFX; as I noted,
you need to be running a full installation
of Server 2008 R2 SP1 or the free Hyper-V
Server 2008 R2 SP1 if you want Server Core
(which is the version of Windows youd
typically be running for VDI environments
What about hardware? Remember that
were virtualizing the GPU in the server
and making virtual GPUs available to the
VMs that actually perform the server-
side graphics rendering. Therefore, the
first requirement is to have a GPU in the Figure 3: Enabling RemoteFX functionality on a Windows Server 2008 R2 SP1 server

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 29

be installed on servers to offload some of
the RemoteFX encoding and increase a
servers scalability. (I discussed this topic
earlier in the article in reference to using
the RemoteFX codec with RD Session
Hosts.) Another RemoteFX requirement
is that the OS running in the VM must be
Windows 7 Enterprise SP1 or Windows 7
Ultimate SP1.
The final requirement is the client
Figure 4: Setting the number of monitors and maximum resolution itselfthat is, the device with which you
connect to the RemoteFX-enabled VM.
The client must support RDP 7.1 and
Table 1: Possible Combinations of Number of Monitors and Resolution
RemoteFX. Although obvious choices such
Maximum Resolution 1 Monitor 2 Monitors 3 Monitors 4 Monitors
as Windows 7 SP1 work great as clients, as
1024 768 75MB 105MB 135MB 165MB
does the new Microsoft Windows Thin PC,
1280 1024 125MB 175MB 225MB 275MB
a whole new generation of thin clients are
1600 1200 184MB 257MB 330MB being released that are very small in form
1920 1200 220MB 308MB factor but have full RemoteFX support,
providing a great end-user experience with
maximum resolution; this information is is that the installation of the required WDDM hardly any hardware footprint and minimal
used for the video memory assignment so driver might break the use of remote base- power use.
the VM can support the configured number board management controllers that need
of monitors and resolution if needed. Also XDDM drivers. For a solution to this issue, The Best Is Yet To Come
notice that we max out at 330MB. If you see my FAQ I use a DRAC/ILO to man- RemoteFX is an awesome technology that
have an application that requires more age my Hyper-V server but since enabling totally changes the capabilities available
graphics memory than 330MB, RemoteFX RemoteFX on the server the DRAC/ILO no to users connecting to Microsoft VDI envi-
isnt the right solution for you (yet). longer works. Why not? (www.windowsit
( ronments and eliminates many of the
Enabling RemoteFX uses an additional, InstantDoc ID 130026). past restrictions. Although the hurdle of
amount of normal system memory for each Today, many servers dont have GPUs or no GPUs in servers might be an initial
VM, which varies based on the number of even PCI Express slots suitable for installing challenge, this obstacle will be overcome
monitors and the resolutions. The amount a GPU. This oversight makes implementing with new server lines being released in
of video RAM a server needs depends on the future. In addition, RemoteFX is only
the number of VMs you RemoteFX-enable Enabling RemoteFX in version 1.0; I expect the technology to
and the number of monitors and resolution improve with age.
configured for each. uses an additional For information about enabling
Beyond just the GPU and video memory, RemoteFX in a Windows 7 SP1 VM, check
you should be careful about video card amount of normal out my FAQ How do I enable RemoteFX
and driver selection. Although a consumer for my Windows 7 guest OSs? (www
graphics card might work fine in a lab envi- system memory, InstantDoc ID 125627).
ronment for a single VDI client just to play
around with RemoteFX, for production envi-
for each VM, which See Microsofts RemoteFX page at www
ronments with multiple VDI-enabled VMs
you need professional-grade GPUs. Equally
varies. us/rds-remotefx.aspx for some performance
tweaks. Finally, see RemoteFX in action at
important is the WDDM GPU driver. To help RemoteFX difficult. In the future, more
make the GPU selection easier, Microsoft server hardware partners will be releas- InstantDoc ID 139872
started a RemoteFX certification program for ing servers with multiple GPUs and PCI
the GPU and driver to help find a GPU that Express slots specifically to enable GPU
will deliver a great RemoteFX experience. virtualization for VDI implementations.
John Savill
( is a
For information about RemoteFX partners, Another requirement to enable Windows technical specialist,
see the Remote Desktop Services (Terminal RemoteFX is that the processor must sup- an 11-time MVP, and an MCITP:
Enterprise Administrator for
Services) Team Blog at port Second-Level Address Translation Windows Server 2008. Hes a
/b/rds/archive/2010/07/08/more-partner- (SLAT), which is known as Extended Page senior contributing editor for
momentum-around-microsoft-remotefx-in- Tables (EPT) by Intel and Nested Page Windows IT Pro, and his latest
book is The Complete Guide to
windows-server-2008-r2-sp1-beta.aspx. One Tables (NPT) by AMD. Although not a Windows Server 2008 (Addison-
problem you might run into on your servers requirement, RemoteFX encoders can also Wesley).

30 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


lthouggh it
houg its nott aass ob
us as iin
n an
n aapp
tion li
ke M
ft S
at the heart of Microsoftt Exchangee Server. Databases need constant tending to remain
r, dattab
ess aare
Repairs can be
efficient. Exchange main ntenance comes
article explores the two types of maintenance,
in two flavors: ongoing and on-demand. This
what theyre used for, and the changes
ongoing or
Microsoft made in Exchaange Serverr 2010including some new cmdlets that are available on-demand
in Exchange
c a ge Server
Se e 2010 0 0 SP1.
S .

The Need for Maintenance by Tony Redmond

Some people would assert that a properly designed and engineered database application should be
self-maintaining. However, such Utopia has yet to be achieved in most applicationsand Exchange is
no different. Maintenance is needed to optimize internal database structures, remove old data thats
no longer required, and apply management policies. Most of this work occurs in the background as
part of the ongoing maintenance performed within the Exchange Information Store process, whereas
the Managed Folder Assistant takes care of applying the rules of retention policies to mailboxes that
come under the control of these policies. (For more details about the processing performed by the
Managed Folder Assistant, see the Learning Path.)
Exchange 2010 introduces a new database schema that marks the first overhaul of the internal
structures since Exchange Server 4.0, in 1996. Previous tweaks, such as the increase in page size from
4KB to 8KB in Exchange Server 2007, helped Exchange cope with the demands of modern messaging
but didnt provide the foundation for operating in a world where a 10GB mailbox will soon be the
norm, even in corporate email systems. The new schema introduced in Exchange 2010 uses a set of
internal tables that belong to individual mailboxes rather than using tables that contain data for a
complete database. This change doesnt sound dramatic, but it lets the Store retrieve data much more
efficiently to respond to user requests, especially as the number of mailboxes supported on a server
increases to the several-thousand level commonly seen in production today. Other internal database
changes, such as increasing the page size to 32KB and deferring view updates until items are requested
by clients, transform the I/O profile from multiple small random I/Os to fewer and larger sequential
I/Os. Essentially, Exchange 2010 processes more data in bigger chunks rather than nibbles. (Microsoft
sometimes calls the use of random small I/Os nickel and diming.)
This approach is sensible given the swelling size of an average message from 4KB in circa 1996
to well over 100KB today, and the results are seen in a radical decrease in I/O operations per second
(IOPS) generated by each mailbox. As with all aspects of performance, your mileage will vary depend-
ing on the details of your deployment, especially the storage hardware you use and how the different
files (system, Exchange, databases, and transaction logs) are laid outbut in general, its fair to say that
companies that deploy Exchange 2010 in production will experience a large reduction in I/O demand
over Exchange 2007 and a massive reduction when compared with Exchange Server 2003. Microsofts
publicity for Exchange 2010 indicates a reduction of 70 percent in I/O between Exchange 2003 and

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 31

Exchange 2007 and a further improvement database availability group (DAG). Essen- never takes away from the ability of the
of about the same because of the changes tially, if the Store detects a problem page server to handle client requests. In other
made to Exchange 2010. However, such (one that fails a checksum check), its able words, in times of peak demand, Exchange
figures should be taken with a grain of salt to signal to servers that host other copies limits the amount of background main-
until you verify the performance charac- of the database to ask them to provide a tenance and then increases background
teristics of your production servers. Theres good copy of the page. After a good copy maintenance when user demand drops.
no doubt that youll see improvement. is received, the Store is able to patch the Some additional CPU cycles and I/O
The question is simply how much better database and restore its overall integrity. are necessary to perform the processing
Exchange 2010 performs on the type of Automatic problem page detection and required by maintenance on a 24 7 basis,
hardware that youve chosen to deploy. fixing is a tremendous advantage of run- such as shuffling pages around. However,
ning mailbox servers in a DAG because it this shouldnt be a concern for most mod-
Operating In a 24 7 World removes the classic -1018 page corrup- ern multi-core servers, especially given the
Exchange has always had the capacity to tion problem from the list of things that I/O gains made elsewhere.
perform background maintenance. The administrators have to worry about.
difference in Exchange 2010 is that Exten- 24 7 ESE scanning isnt the only main- On-Demand Maintenance
sible Storage Engine (ESE) maintenance, tenance that proceeds on a continuous basis. Given all the automatic maintenance thats
or the maintenance done for internal data- Exchange 2010 performs online defragmen- going on in the background, administrators
base structures, is done on a 24 7 basis tation to keep internal structures optimized, have less reason to intervene to perform
by default rather than within a predefined items are removed from the database imme- on-demand maintenance on Exchange 2010
time window, which is the approach used diately after their retention period expires servers. However, we still dont live in a per-
by legacy Exchange servers. (If desired, you instead of waiting for the next maintenance fect world, and administrators must be able
can create a custom maintenance window window, and deleted pages are recycled so to recognize the two basic types of database
for Exchange to use.) The problem with that they can be reused to store new items corruptions that occur: logical and physical.
relying on a time window is that there immediately. Finally, the Store analyzes the Logical errors are evident in problems
might be too much work to get through effect on database contiguity as transactions such as an incorrect count in a folder or a
in the available time. This problem grows occur and, if necessary, the Store launches view that doesnt include all the items that
in line with database sizes, so as database a background thread to move data between it should for some reason. Logical errors
sizes increase, the only solution is to assign pages to make sure Exchange can fetch large often result from a client-side bug in which
a larger time window in hopes that you chunks of contiguous data instead of resort- a client manipulates items in a folder but
keep pace with the work. ing to a hunt and peck to find all the pages fails to update Messaging API (MAPI)
Maintenance operations are essential required for a transaction in multiple parts flags properly. These problems are usually
for an Exchange database because they do of the database. tolerable in that you can function perfectly
the following: All of these activities are auto-throttled well even when errors are present in a
Remove items and mailboxes from to ensure that background maintenance folder or mailbox. Some users dont even
the database (a hard delete) after their
retention time expires
Discover pages that were previously
occupied by deleted items and
mailboxes, and free up these pages for
reuse by the database
Validate checksums on pages to ensure
that they arent corrupt

Exchange 2010 still performs these main-

tenance operations, but the big difference
is that ESE scanning can now occur on an
ongoing 24 7 basis, unless you disable
background maintenance for a database by
updating its properties, as Figure 1 shows.
When 24 7 ESE scanning is enabled
for a database, the Store validates page
checksums on an ongoing basis to ensure
that the integrity of the database is con-
tinually verified. This is important because
Exchange 2010 also includes the ability
to patch single problem pages within a Figure 1: Setting the maintenance properties for a mailbox database

32 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

A New Approach to Fixing Logical generated from the Exchange Manage-
Learning Path Corruptions ment Console (EMC) or the Exchange
ISINTEG isnt used in Exchange 2010 Control Panel (ECP), so everything has
To learn more about Exchange Server
2010s retention policies: because Microsoft didnt do the work to be managed using Exchange Manage-
to update the utility to reflect the new ment Shell (EMS) commands. Also, you
Exchange 2010 MRM: How to Modify and Reduce database schema. In fact, the change in cant run mailbox or public folder repair
Help Desk Calls About Retention Policies, focus within the schema from tables that requests against legacy Exchange serv-
InstantDoc ID 125919
work across the entire database to those ers because this functionality depends
Exchange 2010 MRM: Implementing New Retention that are specific to a mailbox means that on the Active Directory (AD) schema
Policies, InstantDoc ID 125359 its increasingly rare to encounter logical updated by Exchange 2010 SP1.
issues that interfere with a databaseand The New-MailboxRepairRequest cmd-
Email Retention Policies in Exchange 2010, if you find a problem with a mailbox, a let creates a repair request for a mailbox,
InstantDoc ID 103086
simple mailbox move from one database whereas the New-PublicFolderDatabase
to another is often sufficient to sort out RepairRequest cmdlet creates a repair
problems with structures, such as named request for a public folder database. For
realize that errors exist. After all, if Micro- properties, views, and item counts. The example, this command creates a mailbox
soft Outlook reports that a folder holds reason a mailbox move fixes these prob- repair request to check that folder views
1,119 items, will anyone take the time to lems is that the move operation essentially are valid:
count all the items to verify that Outlook rebuilds the new mailbox in the target
has correctly reported the count provided database and therefore eliminates many New-MailboxRepairRequest -Mailbox
to it by Exchange? logical problems as data is moved. (For 'Redmond, Tony' -CorruptionType
Physical errors are far worse in terms more information about how Exchange FolderView
of their effect on the smooth running of an 2010s move operations work, see Mov-
Exchange server because they can render a ing Mailboxes the Exchange 2010 Way, If you add the -DetectOnly parameter
database completely inaccessible to users. InstantDoc ID 103651.) to the request, Exchange will report any
In the past, a physical error or corrup- In Exchange 2010 SP1, Microsoft com- corruption that it finds but wont repair
tion could be caused by a software bug or pleted the move away from ISINTEG by it. The other corruption types that can
hardware failure. Today, the vast majority providing a new set of repair cmdlets be fixed in a mailbox are SearchFolder,
of physical errors are caused by hard- for mailbox and public folder databases AggregateCounts, and ProvisionedFolder.
ware, such as problems in a disk controller to allow administrators to create repair These repairs fix problems with search
when it attempts to write an updated page requests that address the most common folders, counts on folders, and provi-
correctly back into a database. Physical causes of corruption for views and item sioned fields.
corruption causes data loss if pages that counts. These include the following: You can perform several repairs with
hold indexes and mailbox contents cant Search folder corruptions one pass through a mailbox by specifying
be fixed. (mailbox) a list of the different fixes that you want to
In previous versions of Exchange, Incorrect aggregate counts on folders make. For example:
on-demand maintenance is performed (mailbox)
with two command-line utilities pro- Incorrect contents returned by folder New-MailboxRepairRequest -Mailbox
vided as part of the Exchange toolkit. views (mailbox) 'Redmond, Tony' -CorruptionType
ISINTEG (the Information Store Integrity Public folder replication state FolderView, SearchFolder
maintenance utility) takes care of logi- Public folder view verification
cal errors; ESEUTIL (or even EDBUTIL if Public folder physical corruption The Archive parameter defines whether
you remember back that far) handles or not the Store scans the mailboxs per-
problems at a much lower physical level, These repair cmdlets use roughly the sonal archive. If omitted, the archive isnt
in the bowels of the database. Both utili- same model as Exchange 2010 mailbox processedso to include the archive in
ties are throwbacks to the days when it move, import, and export requests in the repair, we need a slightly modified
was acceptable to take databases offline that an administrator creates a repair command:
for several hours to perform preventive request thats queued for processing by
maintenance. As such, these utilities are the Store, which then performs what- New-MailboxRepairRequest -Mailbox
anathema to administrators. Given the ever repairs are required asynchronously 'Redmond, Tony' -CorruptionType
size of mailbox databases today, it could with the database online. Theres no FolderView, SearchFolder -Archive
take several hours for a utility to complete need for the user to log out of his or
processing, creating a potentially huge her mailbox while the Store examines You can also scan all the mailboxes in
effect on the ability to meet service level and adjusts internal mailbox structures. a database at one time to fix any corrup-
agreements (SLAs) and other operational Theres no UI available in Exchange tions that are found in any mailbox. For
requirements. 2010 SP1 to allow repair requests to be example:

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 33

There are still good reasons to run
ESEUTIL, but not on an ongoing basis
and certainly not to free up disk space.
You might need to run ESEUTIL to make
a backup copy of a database consistent
before it can be mounted as a recovery
Figure 2: Submitting a mailbox repair request
database, or you might be advised by
New-MailboxRepairRequest -Database problems found in the tables within the Microsoft Customer Service and Support
'VIP Mailboxes' -CorruptionType mailbox are replicated, along with other (CSS) to run ESEUTIL to fix a low-level
FolderView, SearchFolder, transactions to the database copies, and problem in the database that cant be fixed
AggregateCounts are logged as events in the application with the repair cmdletsin this instance
event log on the server where the repair its almost sure that some data loss will
Only one type of corruption can cur- is performed. Much the same happens occur because ESEUTIL will drop any page
rently be fixed for a public folder database. when repairs are applied to a public folder that it cant repair.
This is the replica list, which is repaired as database, with the exception that the repair Databases operating within a DAG have
follows: occurs on a specified public folder data- a major advantage over non-replicated
base and any results are replicated using databases in that they can patch single
New-PublicFolderDatabaseRepairRequest the public folder replication mechanism. problem pages by requesting good data
-Identity 'PFDatabase1'-CorruptionType You cant cancel or review the current from another database copy. The requested
ReplicaList status of a repair job. This functionality is data is replicated in the transaction log
likely to be added by Microsoft in a future stream and replayed by the Store to patch
When you submit a new mailbox or release. For now, the only way to terminate the problem.
public folder repair request, Exchange a repair job is to dismount a database Aside from the cases that I outlined, I
responds with a task identifier and the or move the database to another server cant think of a good reason why I would
name of the server that will handle the (or if the database crashes because of a want to dismount a database and remove
request, as Figure 2 shows. This is the mail- software bug). These actions clear out any access from users to run ESEUTIL for
box server that currently hosts the active repair jobs that might be active within the several hours to pursue some ethereal
copy of the database or where the public database. improvement that might or might not
folder database is mounted. be applied to the database. In a produc-
The only evidence of the progress that The Myth Around ESEUTIL tion environment, this just doesnt make
Exchange makes with the repair exists At times, it seems as if some commenta- sense.
in the application event log, which cap- tors endowed ESEUTIL with mythical
tures event 10047 when a mailbox repair abilities to cure all known problems in The Facts of Life
request is initiated (or event 10059 when Exchange databases. Furthermore, they Database maintenance is a fact of life for
you request repairs for a complete data- recommended that ESEUTIL should be Exchange administrators. Most of the work
base) and event 10048 when its completed run regularly to compact and repair is automatic and progresses behind the
successfully and no corruptions remain in databases so that the database would scenes, but there are some on-demand
the mailbox. These events are logged on be as efficient as possible. Lets be clear: actions that must be taken to fix problems
the server that processes the request. If a This is a myth and a fallacy that should be that occur at logical and physical levels.
corruption is detected, Exchange logs event consigned to the wastebasket as quickly The new repair cmdlets introduced in
10062 with the details of the corruption that as possible. My view is that ESEUTIL is Exchange 2010 SP1 are a welcome advance
was found and the results of the action. brain surgery for Exchange databases, because they allow on-demand logical
Note that the Store might need to make because if ESEUTIL isnt run by an expe- repairs to be performed online. However,
several repairs before it can eliminate all rienced practitioner for the right reasons, were still grappling with the command-
problems from a mailbox, so you need to it can turn a database into an incoherent line ESEUTIL utilitysurely it must be next
continue running repairs until event 10048 lump. on the list for Microsoft to modernize and
is logged to report a clean mailbox. There was a time when running update!
To ensure that performance isnt ESEUTIL against a database was the only InstantDoc ID 139870
affected, you can run only a single repair way to return space to the storage subsys-
against a complete database on a server tem and fix internal problems. That time
at one time. However, you can run up to passed at the start of the present decade Tony Redmond
100 individual mailbox repairs concur- when Microsoft finally figured out how to .com) is a contributing editor for
rently on a server (spread across multiple make background maintenance recycle Windows IT Pro and author of
databases). deleted pages efficiently. Many of todays Microsoft Exchange Server 2010
Inside Outt (Microsoft Press). His
If the database has copies within a administrators were still in short pantsits blog is available at windowsitpro
DAG, the results of any repairs made to fix that long ago! .com/go/tonyredmond.

34 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m



any busi
mandiing st
es,, reega
agee ne
lesss of si
s. S
ze,, ar
Ns of
aree lo
ferr fl
ingg to S
ityy fo
ANss to
forr a va
to addddre
etyy of ccom
ss incre
n in
r asin
Build a highly
ture scennarios, inccluding database and email servers, common file storage, and
virtualizaation. SAN Ns are incredibly popular when fault tolerance is a requirement,
available, fault-
allowing quick reco overy from disk or server failure. SANs can be built using a variety tolerant SAN
of techno ologies, ran nging from DAS, to Fibre Channel, to incredibly popular iSCSI
networks. Although many SAN archiitects and administrators focus on building a fault-tolerant disk
subsysstem, or clustering th he servers in n front of them, it isnt uncommon to find attention to the actual
connections to the SAN neeglected, with basic configurations that have single points of failure or less
than optimal overall perforrmance cau used by bottlenecks and misconfiguration.
by John Howie
Com mplicating matters is the fact that many SAN vendors provide their own device drivers and
managgement software desiigned to work with their equipmentbut the OS cant take true advantage
of them
m. Often, SANs built using equip pment from multiple vendors must use generic drivers and might
lack en
nd-to-end managem ment.
To address these probleems, Micro osoft built support for Multipath I/O (MPIO) in Windows Server,
which is designed to help businessess build highly available, fault-tolerant SAN configurations. As an
additioonal benefit, MPIO can improvve performance depending on your SAN equipment and overall
configu uration. In this articlee, I describ b some off the
be h ffeatures off MPIO iin Wi Windows
d S
Server 2008 R2
R2, and d
I proviide general recommeendations for leveraging this powerful feature in your environment.

MPIO Basics
Beforee going into detail about the feaatures of MPIO in Windows Server, its necessary to cover a few
basics about the available configuratioon options, including the benefits of each option. Note that some
of thesse options might not be availab
ble to you, depending on the type of SAN you have, as well as the
support for MPIO availablee from the manufacturer of the components that it consists of. Server 2008
R2 suppports the following six MPIO configurations:
Rou und-Robin
Leasst Queue Depth
Weiighted Path
Leasst Blocks

Faiilover. The simple Faailover connfiguration, also known as Fail Over Only, requires two or more
paths from the server to thee disks wheether DAS, via host bus adapters (HBAs) in a Fibre Channel sys-
tem, or NICs and paths in an iSCSI SAN. The SAN administrator will select one path as the primary
comm munication path and each addittional path as failover paths. Each failover path has a preference
assigned to it, and each paath is used in turn from the most preferred to the least preferred when the
primarry path fails. When th
he primary path is restored, the SAN administrator must manually configure

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 35

simply takes all requests into a single queue
for processing regardless of the number
of paths they travel over, and if the time
it takes to process each request is greater
than the time it takes a request to travel
over any individual path. Performance can
also degrade in a round-robin configura-
tion if theres a failure in a component on
a path, as well as if failover is configured
at the component level, which results in
lower performance. Figure 2 shows a typi-
cal round-robin configuration in a Fibre
Channel SAN. A variation on Round-Robin
configuration, called Round-Robin With
Subset, is one in which one or more paths
are set aside for failover in decreasing
order of preference. When all round-robin
Figure 1: iSCSI MPIO Failover and Failback
paths become unavailable, the highest
the system to use it, switching back from configuration, if a path fails, it ceases to be preference failover path available is used
the failover path in use. used by the server and is dropped from the until one or more paths in the round-robin
Failback. The second configuration round-robin pool of available paths until configuration are restored.
option, called Failback, is somewhat communication is restored. The advantage Least Queue Depth. The next configu-
related to the Failover option. Like Failover, of this configuration is that requests are ration available to the SAN administrator
a primary path is defined; when it fails, sent over multiple paths to the disk subsys- is called Least Queue Depth. It requires
communication is routed over alternative tem, which can improve performance. This drivers and components in the SAN to be
paths in decreasing order of preference. configuration doesnt take into account the able to report the number of outstanding
However, unlike Failover, communication performance characteristics of each path, requests for each path. MPIO will route
is routed back over the primary path when the complexity of the requests, or a queue proportionately more requests over the
its restored. Failback is typically used when of outstanding requests on a path, if any. path with the least number of outstand-
a primary communication path is faster or To address potential performance issues, ing requests. This configuration doesnt
has fewer devices between the server and a SAN administrator should use this con- require (or benefit from) all paths having
the disk subsystem than Failover paths figuration only if all communication paths equal performance characteristics or every
and therefore has fewer points of failure. are equal. In addition, it can be assumed request being similar in complexity. In
It should be noted that Failover and Fail- that all requests will likely be equivalent fact, this configuration is designed to work
back operations arent necessarily instan- and there will be no queue of outstanding well with uneven loads. This configuration
taneous, and there might be momentary requests on any path greater than on any doesnt have explicit failover paths defined,
disruptions in service when communica- other path (which can happen if there are either. If a path is unavailable, its simply
tion paths are switched. Although many switches or routers on the path). If these removed from consideration.
applications wont suffer from momentary assumptions hold true, a SAN adminis- Weighted Path. The next configuration
disruptions, high-performance applica- trator might still fail to see an increase in available is called the Weighted Path. Each
tions such as database servers and heav- overall performance if the disk subsystem path is assigned a weight, and among the
ily used email mailbox servers might see
even a momentary disruption as a disk
failure, which could cause unintended
consequences such as server cluster node
failovers on connected servers. For this
reason, Failover is typically preferred over
Failback unless the differences between the
primary and alternative paths are marked.
Figure 1 shows an example of Failover and
Failback configurations in an iSCSI SAN
Round-Robin. When a server has two
or more communication paths, the SAN
administrator can choose to leverage them
in a Round-Robin configuration. In this Figure 2: Fibre Channel MPIO Round-Robin

36 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

from your iSCSI Initiator (your server) to
your iSCSI Target(s). This is most simply
achieved by using multiple NICs to connect
to your iSCSI-based SAN, with IP addresses
on unique subnets. You can verify that your
iSCSI Targets can be managed by MPIO by
typing the following command:

MPclaim -s -d

Figure 3 shows this commands output. You

can get more information about any iSCSI
Target managed by MPIO by specifying the
disk number at the end of the command
Figure 3: Verifying that iSCSI Targets can be managed by MPIO for example, MPclaim -s -d 0.
After you discover possible multi-paths,
given available paths, MPIO selects the MPIO and iSCSI you can configure them using the iSCSI
path with the least weight. Before you can use MPIO with iSCSI, you Initiator client, which can be launched
Least Blocks. The final configuration need to discover existing multi-paths to from the Administrative Tools folder on the
available is called Least Blocks. MPIO iSCSI Targets. This can be done by launch- Start menu, or by typing iscsicpll from the
routes requests over the path with the least ing the MPIO tool, selecting the Discover command line. You should already have
number of pending requests. Multi-Paths tab, selecting the Add support targets listed under the Discovered targets
for iSCSI devices check box, and clicking the section of the iSCSI Initiator Properties
Installing and Configuring MPIO Add button. Note that this will cause your applet. To configure MPIO for a target,
MPIO is an optional feature in Server 2008. system to restart. You can also discover select the target and click the Connect but-
You can install it from Server Manager, or iSCSI multi-paths from the command line, ton to launch the Connect To Target dialog
you can enter the following command on again with a reboot, by typing the following box. In the dialog box, select the Enable
a command line: command: multi-path check box and then click the
Advanced button. In the Advanced Settings
ocsetup MultipathIo /norestart MPclaim -r -i -d dialog box, configure the alternative path to
"MSFT2005iSCSIBusType_0x9" your iSCSI Target; then, click OK to exit and
When the feature is installed, a new tool click OK again to exit the Connect To Target
called MPIO is added to the Administrative Obviously, for this command to work, you dialog box. Repeat these steps for every
Tools folder. Also installed is an execut- need to have support for multiple paths alternative path to your iSCSI Target.
able called MPclaim.exe. Although MPIO
is easy to install, further configuration is
highly dependent on your type of SAN and
the equipment that its comprised of. The
reason for this is that although Server 2008
R2 ships with support for whats called
a Device-Specific Module (DSM), youll
most likely need to get a DSM from your
vendor(s). DSMs can be loaded from the
MPIO tool. Before you proceed to load
DSMs and configure MPIO, I recommend
that you consult documentation from your
SAN equipment manufacturer, because its
easy to make mistakes that can result in
corrupt or lost data.
I recommend using MPIO with iSCSI,
because MPIO is supported natively in
Server 2008 R2 and doesnt require you
to load a custom DSM. In addition, iSCSI
is becoming the SAN of choice for many
enterprises because of its flexibility and low
cost of entry. Figure 44: D
Fi Device
i properties
ti for
f MPIO-enabled
MPIO bl d iSCSI Target
T t

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 37

Target, such as the IP address and port of
the iSCSI Target Portal. The Edit button
launches a dialog box that you can use to
specify the path type (active or standby)
and weight (preference) each path has for
MPIO configurations that let you specify
active and standby paths, as well as a
weight or preference for each.

Every SAN configuration is unique, whether
its the hardware used, the nature of the
requests made by servers connected to it,
or both. MPIO provides a means for you
to build high availability and, depending
on your SAN configuration, potentially
improve performance. Because each SAN is
unique, it isnt possible to provide detailed
recommendations for all situations, but
some high-level guidelines exist.
The first rule is that you should always
make certain that there are multiple paths
to your SAN from your servers, to ensure
availability of services when components
Figure 5: MPIO device details failMPIO is a means to accomplish
this. The second recommendation is that
wherever possible, you should use an
MPIO configuration that takes advan-
tage of the multiple paths to improve
performance (for iSCSI MPIO, this is
typically Round-Robin, the default). The
third recommendation is that you should
thoroughly test MPIO before putting pro-
duction data into your SAN or running
production applications. You can test
MPIO by pulling out network cables from
NICs dedicated to iSCSI connections, as
well as by shutting down Fibre Channel
switches and so on, to ensure that theres
no disruption in access to data. The last
recommendation is the most important:
Work with your SAN vendor to get your
vendors recommendations for configu-
ration of MPIO with Server 2008 R2 and
the vendors equipment. Many vendors
provide extensive documentation for free
Figure 6: MPIO pathh ddetails
Fi il on their websitea simple search will
typically find this information.
After youve added all your paths you can modify the load balance policy, InstantDoc ID 136286
to your iSCSI Target, you can view the as Figure 5 shows. The default policy for
details by clicking the Discovered target iSCSI multi-paths is Round Robin, but
and clicking the Devices button. Figure 4 you can pick from the other configurations John Howie
shows an iSCSI Target thats represented supported by MPIO, with the exception of ( is a senior
as Disk 1 on the server, with two paths Failback. As Figure 6 shows, selecting a director in the Online Services
Security & Compliance team at
to it. Clicking the MPIO button launches Path Id and clicking the Details button will Microsoft, where he manages cloud
the Device Details dialog box, from which show you details of the path to the iSCSI security.

38 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


y company has workstations connected to two separate networks. I have extremely
active email accounts on both, but I work on one machineand one networkfar Save time
o e tthan
a the
t e other.
ot e . I ca
cantt be bot
e ed to log
og back o
on to myy ot
e workstation,
o kstat o ,
which locks after only 5 minutes of inactivity, to check email. Because Im a pro-
and eliminate
grammer, I created a macro to forward email messages to my preferred machine switching
which wasnt a bad idea, but I then found myself replying to my other account
instead of to the person who originated the email! After catching some flack from people who were back and forth
waiting for my response, I decided that I should come up with a macro to insert the correct email
address in the To field, rather than my own. This turned out to be more of a challenge than Id antici-
between email
pated, so Id like to share my solution, to help you circumnavigate the gotchas that I ran into. accounts
Intercepting Reply Mail Items
Outlook, like all Microsoft applications, is highly event driven. The code fires in response to certain by Rob Gravelle
user actions, such as clicking a button, tabbing onto a control, or pressing keys. Other actions are the
result of application life-cycle events, such as startup and shutdown. Finally, there are specific events
such as adding an appointment, setting a messages importance, or receiving a new email message.
One thing to keep in mind about event-driven applications is that where you place the code is half the
battle. If you choose the wrong event, youll likely encounter all sorts of nasty side effects, including
events not firing, firing too many times, and firing at the wrong times.
Our goal here is to capture email messages that are a reply to certain forwarded emailsin par-
ticular, those that were formatted from one of our other accounts. This task seems simple, but as I
said, events can be tricky to pin down.
The most logical candidate is the MailItem_Reply event. What could be simpler? We want to run
code when we hit the Reply button. Unfortunately, the Reply event only occurs in response to open
MailItems. Thus, if youre replying to an item thats selected in the Inbox Explorer pane but not open,
the Reply event wont fire.
Another logical place to check for a reply action is the Reply button itself. You can trap the Click
event of a toolbar button as follows:

Dim WithEvents objReplyButton As Office.CommandBarButton

Set objReplyButton = ActiveExplorer.CommandBars.FindControl(, 354)

However, this also turns out to be the wrong place, because it runs afterr the MailItems Reply event,
so you cant get a handle to it from there.

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 39

Object and Procedure drop-downs. Note
in Figure 2 that my Close and Open events
are in bold because I added those events
to my code. To add an event, you simply
have to select it from the list; Outlook will
add an empty sub to the module:

Private Sub myMsg_Open(Cancel As

End Sub

Figure 1: Outlook 2010s Developer tab

Binding myMsg to the Inspectors_
I could go on, but lets end the sus- The Visual Basic button will appear on the NewInspector Event
pense. The best place for changing far left, as Figure 1 shows. At this point weve declared a MailItem
message properties turns out to be the object and created an event for it, but we
MailItem_Open event. Although its more Accessing the MailItem_Open still need to set it somewhere. The place to
generic than what we want, there are Event do so is in the Inspectors_NewInspector
ways to narrow the scope to what were The secret to accessing an objects event event. The Inspectors object is actually
looking for. in Outlook is to include the WithEvents a collection that contains the Inspector
keyword in the object declaration. The objects representing all open inspectors.
Visual Basic Editor Any time you open a window in which
All Microsoft Office applications come with The best place for an Outlook item is displayed, that item
a full-featured IDE, called Visual Basic Edi- is an inspector. Again, were scattering
tor, that provides an interface for accessing changing message our shots all over the place because an
application object models through code inspector can contain anything from a
so that you can call object methods, set properties turns out new appointment to a new task item. The
object properties, and respond to object good news is that weve narrowed down
events. The code used to accomplish these
to be the MailItem_ the field to items that are new. Therefore,
goals is a specialized subset of the Visual
Basic (VB) language, called Visual Basic for
Open event. opening an existing email message wont
cause the Inspectors_NewInspector event
Applications (VBA). following code should be placed at the to fire.
A Developer tab on the Outlook ribbon top of the ThisOutlookSession module: We can get at the Inspectors events the
lets you access Visual Basic Editor and same way as we did with the MailItem.
other developer tools. However, this tab is Public WithEvents myMsg As Outlook First, we use WithEvents to declare it, as
disabled by default to protect you against .MailItem follows:
viruses and other malicious code. There-
fore, you need to perform the following After you add the object declaration, Public WithEvents myOlInspectors As
steps before you can use it: you can access it and its events from the Outlook.Inspectors
1. Select Outlook Options from the
File tab to open the Outlook Options
dialog box, and click Trust Center.
2. Click Trust Center Settings, then
select the Macro Settings option on the
3. Select the macro security level that
suits your comfort level, keeping in mind
that this setting also pertains to other
peoples macros and not just your own.
If you dont want to give all macros carte
blanche, you can have Outlook display a
prompt each time a macro is about to run.
That way, you can decide whether or not
you want to let the macro run. This option
is called Notifications for all macros.
4. Restart Outlook for the changes to
take effect. Figure 2: Object and Procedure drop-downs

40 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

line>. Therefore, a subject that begins with
Listing 1: Setting the myMsg MailItem Object
RE: From was forwarded from the other
Private Sub myOlInspectors_NewInspector(ByVal Inspector As Inspector)
If Inspector.CurrentItem.Class = olMail Then network.
If Len(Inspector.CurrentItem.EntryID) = 0 Then Finally, the sender should be yourself.
Set myMsg = Inspector.CurrentItem
End If The MailItem.To field is the place to find
End If
End Sub) that information:

Private Sub myMsg_Open(Cancel As

Listing 2: Replacing Your Email Address With That of the Original Sender(s) Boolean)
With myMsg.recipients If myMsg.subject Like "RE: From*" _
.Remove 1
.Add sender and myMsg.To Like
.Item(1).Resolve "Gravelle*Robert*") Then
If Not .Item(1).Resolved Then
'could be using "lastname, firstname" display format
'used for known users on originating network End If
If InStr(1, sender, ", ") Then
Dim senderNames() As String End Sub
senderNames = Split(sender, ", ", 2)
'reverse name order and convert to Retrieving the original sender from
'firstname.lastname@networkaddress format
sender = senderNames(1) & "." & senderNames(0) & "" the message subject. The subject will con-
.Add sender tain either the senders display name or
End If email address, depending on whether the
'didn't work. Leave it empty.
If Not .Item(1).Resolved Then myMsg.To = "" sender is a member of the originating
End If network. In either case, we need to parse it
End With
from between the RE: From and colon (:)
subject text. The following code achieves
Then we can access the newInspector() The myMsg_Open Event this action:
sub: The MailItem_Open event is the ideal place
to set message values because it hasnt yet Dim sender As String, pos As Integer
Private Sub myOlInspectors_ appeared on the screen. After that hap- pos = InStr(9, myMsg. Subject, ":") - 9
NewInspector(ByVal Inspector As pens, good luck changing its values! The sender = Trim(Mid(myMsg.Subject, 9,
Inspector) following sections provide a step-by-step pos))
End Sub walkthrough of how to set the To, Subject,
Setting the To field to the original
Before we set our myMsg MailItem, we sender. Replacing your email address with
have to perform a couple of checks to
The EntryID the original senders wont ensure that the
accept only the inspectors that we want.
The first test is whether the item is in fact an
property isn't set mail server recognizes the sender. There-
fore, applying the Recipient.Resolve() func-
email message. The last thing wed want to
do is try to set a MailItem to another type.
for an Outlook tion will help. A failure to resolve the address
is most likely caused by the display name
The inspector, which is passed to the sub, item until it's either being used instead of a full email address.
has a CurrentItem property that refers to Its actually not that difficult to fix, because
the item the user is currently viewing. We saved or sent. we know the originating networks host
can check its Class property to determine name. In my case, converting the display
whether its a MailItem. In fact, theres a and Body values to match those of the name (formatted as Lastname, Firstname)
constant named olMail that can be used original email. into a proper email address (formatted
for this purpose. After you set the myMsg MailItem as
Another necessary check is for the object in the Insepctors_newInpector() requires nothing more than reversing the
unique ID string that the Messaging event, every new email message will trigger name order, inserting a period between
API (MAPI) store provider assigns when the MailItems Open event, whether its a them, and appending the email address. A
an item is created in its store. Listing 1 reply, a forwarded message, or a brand- second call to Resolve() will confirm that
contains the code to perform this check. new message. this action did the trick. If not, I just leave
Therefore, the EntryID property isnt Identifying forwarded emails. We can the To field empty. However, Ive never
set for an Outlook item until its saved rely on the RE: prefix that Outlook adds to encountered this condition yet. Listing 2
or sent. This will separate our replies the subject to identify our replies. More- contains the code to set the To field to the
from those of other people. Setting the over, our forwarded email messages have a original sender.
MailItem as in Listing 1 will cause its subject line in the following format: From Setting the subject. As in all forwarded
Open event to fire. <sendername>: FW: <original subject email messages, the original subject line

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 41

The latter is my preferred solution because
Listing 3: Formatting the Message Body the Same as the Original Message
different body formats can make parsing a
If safemsg.subject Like "RE: From*" _
And safemsg.To Like "Gravelle*Robert" Then nightmare.
'set the body to the original email Its best to take care of the message body
Set myOlSel = Application.ActiveExplorer.Selection
If myOlSel.Count = 1 Then first, before manipulating the subject line.
If myOlSel.Item(1).Class = OlObjectClass.olMail Then
Set oOriginalEmail = myOlSel.Item(1) As youll see, the code that finds the origi-
Dim strParentConversationIndex As String nating message, called the parent, uses the
strParentConversationIndex = Left(oOriginalEmail.ConversationIndex, _
Len(oOriginalEmail.ConversationIndex) - 10) ConversationTopic property. Changing the
message subject alters this property.
If strParentConversationIndex <> myMsg.ConversationIndex Then _
Set oOriginalEmail = FindParentMessage(myMsg) Finding the parent is a two-step pro-
If Not oOriginalEmail Is Nothing Then cess. First, the code checks the currently
Select Case oOriginalEmail.BodyFormat selected message in the active Explorer
Case olFormatHTML
myMsg.HTMLBody = oOriginalEmail.HTMLBody window. The currently selected item in
Case olFormatPlain, olFormatRichText the Explorer window is likely to be the
myMsg.Body = oOriginalEmail.Body
End Select parent. We can confirm this by comparing
End If
End If the ConversationIndex of our reply to the
End If message. When you reply to a message,
Outlook removes 10 characters (5 bytes)
from the ConversationIndex. Hence, the
Listing 4: Using the ConversationIndex and ConversationTopic Properties to Locate the parent emails ConversationIndex minus
Original Message
the last 10 characters will match the replys
Function FindParentMessage(msg As Outlook.MailItem) As Outlook.MailItem
Dim strFind As String ConversationIndex.
Dim strIndex As String To set the message body, we need to
Dim fld As Outlook.MAPIFolder
Dim itms As Outlook.Items check the body format, because it could
Dim itm As Outlook.MailItem be HTML, RTF, or plain text. A Select Case
On Error Resume Next statement, such as that in Listing 3, is used
strIndex = Left(msg.ConversationIndex, _ to set the appropriate body property.
Len(msg.ConversationIndex) - 10) As I said, the currently selected message
Set fld = Application.Session.GetDefaultFolder(olFolderInbox)
strFind = "[ConversationTopic] = " & _ in the active Explorer window is likely the
Chr(34) & msg.ConversationTopic & Chr(34) parent of the reply. However, its also pos-
Set itms = fld.Items.Restrict(strFind)
For Each itm In itms sible that it isnt. For instance, if you use
If itm.ConversationIndex = strIndex Then
Set FindParentMessage = itm the button on the MailItem Inspector to
Exit For reply, you might have selected any number
End If
Next of other messages since opening the for-
End Function warded email message. (You might even be
in another folder altogether.) Assuming that
begins immediately after the FW: prefix appends some text to the body, such as youre still in the same folder that the parent
. InStr() is used to find the original subject your signature and the originating mes- originated from, you can use the MAPI-
lines position in the string. The text that sages properties. Although not essential, Folder.Items.Restrict() function to find the
follows is appended to the RE: reply iden- its possible to remove the extra section parent. This function accepts a specially
tifier; thus, REMINDER: Network Main- formatted string that contains the property
tenance would be parsed from From Every time you to search and its value. The function returns
Smith, Bob: FW: REMINDER: Network a collection of items. The Conversation-
Maintenance, as follows: reply to or forward Index is then checked against these items
to locate the parent. Listing 4 contains
pos = InStr(9, subject, ":") - 9 an email message, the code that calls the MAPIFolder.Items
.Restrict() function.
'start search after the "RE: From"
pos = InStr(pos + 1, myMsg. Subject,
Outlook appends
text to the body. Circumventing Outlooks Infamous
myMsg.Subject = Left(myMsg. Subject, Warning Dialog
4) & _ from the email and revert the message Because its such a popular product, Out-
Trim(Mid(myMsg. Subject, pos + 3)) body back to that of the original message. look has long been the target of hackers.
There are two ways to do this: You can To help thwart the attempts of attackers,
Setting the message body to the origi- either parse the message to remove the Microsoft implemented numerous security
nal text. As you know, every time you reply extra text, or you can replace the entire features into Outlook. Im all for secu-
to or forward an email message, Outlook message body with that of the original one. rity, but I wish Outlooks security police

42 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

and functions, Redemption objects com-
pletely bypass the Outlook object model
and behave exactly like Outlook objects
with no security patch applied.

Using Redemption in the myMsg_

Open() Event
Making the MailItem.Open() event code
work with Outlook Redemption requires
replacing all read references to the Mail-
Items sender and recipients with Redemp-
tions SafeMailItem. One caveat to using
the SafeMailItem is that you cant access
recipient information until the message has
been saved. Therefore, you cant retrieve
Figure 3: Security warning in Outlook 2010
information about a messages recipient list
for new messages. However, this problem is
Listing 5: The Complete MailItem_Open() Subroutine easy to remedy: Just call the Save() method
Private Sub myMsg_Open(Cancel As Boolean) on the original MailItem before assigning
Dim safemsg As New SafeMailItem
it to the Redemption SafeMailItem. This
safemsg.Item = myMsg
action adds the SafeMailItem to the Drafts
folder. After you assign the SafeMailItems
If safemsg.subject Like "RE: From*" _and safemsg.To Like "Gravelle*Robert*" Then
Dim sender As String, subject As String, _ Item property to the original mail message,
pos As Integer, sendTo As Redemption.SafeRecipient you can access both the MailItem and addi-
subject = safemsg.subject
pos = InStr(9, subject, ":") 9 'start search after the "RE: From" tional Redemption properties.
sender = Trim(Replace(Mid(subject, 9, pos), vbTab, ""))
safemsg.recipients.Remove 1
Other than the addition of a Redemption
safemsg.recipients.Add sender .SafeRecipient object to handle resolving
Set sendTo = safemsg.recipients(1)
sendTo.Resolve the email address, the rest of the code
If Not sendTo.Resolved Then is largely identical to the original Open
'could be using "lastname, firstname" display format
'used for known users on originating network event. Listing 5 contains the code to set the
If InStr(1, sender, ", ") Then
Dim senderNames() As String
sender and subject line using Redemption.
sendTo.Delete It doesnt contain the optional code to set
senderNames = Split(sender, ", ", 2)
sender = senderNames(1) & "." & senderNames(0) & _"" the body.
safemsg.recipients.Add sender
Set sendTo = safemsg.recipients(1)
sendTo.Resolve Grab Your Fork and Dig In
End If
End If
Although replying to a forwarded email
myMsg.To = IIf(sendTo.Resolved, sendTo.Address, "") message isnt as simple as setting a rule,
'set the subject Outlook does provide the capability to do
pos = InStr(pos + 1, subject, "FW:") so, as long as youre willing to venture into
myMsg.subject = Left(subject, 4) & Trim(Mid(subject, pos + 3))
End If the world of Outlook events and VBA code.
End Sub
Many people steer clear of this part of Out-
look for fear of introducing bugs into their
wouldnt intercept my own code. Im not Redemption feature. Redemption is a regu- beloved email application. However, all you
trying to bring down my own machineat lar COM library; after its registered on the need to do is take a little time to consider the
least not on purpose! system, its accessible to any programming best event(s) in which to place your code.
Microsoft Office 2010, 2007, 2003, 2000, language (e.g., VB, VBA, VC++, Delphi). Everything after that is a piece of cake!
and 98 all include this Outlook security Redemption uses extended MAPI (which InstantDoc ID 140409
patch in SP2. When a macro tries to read isnt affected by the security patch because
any email properties, youll see a warning it isnt accessible to the scripting languages) Rob Gravelle
dialog box such as the one in Figure 3. to duplicate the functionality blocked by the resides in Ottawa, Canada, and is
You cant do much about these annoying security patch. All Safe*Item Redemption the founder of GravelleConsulting
.com. Rob has built systems for
dialog boxes; even setting the security level objects have an Item property that must be intelligence-related organizations
to low (which I dont recommend) wont set to an Outlook item. Through the Item such as Canada Border Services
affect them. property, you can access any MailItem and for commercial businesses. In
his spare time, Rob has become
Luckily, there are a few workarounds. properties and methods, both blocked and an accomplished guitar player and
My personal favorite is to use the Outlook not blocked. For the blocked properties has released several CDs.

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 43


NETIKUS on the iPhone MSI Notebooks

Nexsan NAS ERPM Update

MSIs Powerful X460 and X460DX integrated webcam for

Notebooks easy expansion and
MSI released its X460 and X460DX networking. For more
notebooks, 14 mobile powerhouses for information, visit www
professionals on the go. Part of the X
Series ultra-slim notebooks, both units
are powered by Intel Core processors, Twisted Pair Gives
Integrated Intel GMA HD or nVidia GeForce Microsoft Lync Users
GT540M video cards, Microsoft Windows Access to Mobile
7, and THX TruStudio PRO. Featuring Intel Workers
Wireless Display (WiDi) 2.0, the X460 model Twisted Pair Solutions
lets users easily connect their laptops to released WAVE Communicator for Nexsans E5000 Family of NAS
any television unit using standard Wi-Fi. Microsoft Lync, an application for extend- Systems
All models come with two USB 3.0 ports, ing the voice capabilities of Microsoft Nexsan announced the first two models
HDMI connectivity, and 1.3-megapixel Lync Server 2010 to mobile workers. of the E5000 Family of NAS systems, the
WAVE Communicator extends the reach E5110 and the E5310. Both models are
of Microsoft Lync so that office-based feature-rich and use the revolutionary
workers and mobile workers using FASTier cache, which utilizes multiple SSD
smartphones can simply and securely technologies that work transparently to
communicate via voice or text while shar- boost performance for random I/O work-
ing valuable information such as status loads, including applications that are run
and presence. WAVE Communicator is a on top of virtualized computing environ-
key component of WAVE 5.2, the latest ments such as VMware, Xen, and Hyper-V.
version of Twisted Pairs communications The E5000 Family is the latest addition to
platform. Contact Twisted Pair at www Nexsans Flexible Storage Platform. For more information visit

PRODUCT Nimbulas Cloud OS Runs

SPOTLIGHT Geographically Distributed Clouds
Nimbula introduced Nimbula Director
1.5, the newest release of its cloud OS that
EventSentry Comes to the iPhone helps enterprises and service providers
build powerful private, hybrid, and public
NETIKUS.NETs EventSentry provides trap daemon is also available in the tools cloud infrastructure. Nimbula Director
monitoring capabilities for critical free edition, EventSentry Light. The SNMP abstracts the underlying technology to
infrastructure systems. NETIKUS.NET has daemon is extremely easy to set up, so any- present a coherent view of a completely
released a new version of EventSentry body can configure basic SNMP monitoring automated compute and storage cloud.
(2.92), and its got some cool changes at no cost in a matter of minutes. Providing a one-stop virtual data center
worth pointing out to you network The company also released a native management solution, Nimbula Director
admins out there. iPhone app (it hopes to introduce apps for isolates customers from the operational
The biggest other platforms soon), which gives you basic and hardware complexity associated
change is the information about the monitored hosts from with deploying a private or public cloud.
introduction the iPhone. Unlike some other offerings, its With version 1.5, Nimbula Director is now
of an SNMP not just a web page but a real iPhone app capable of supporting a geographically
daemon, which that takes advantage of the iPhone function- distributed cloudan industry first. For
lets you receive ality, such as swiping. For more informa- more information, visit
SNMP traps tion about EventSentry 2.92, check out the
(v1, v2, v3) with company blog at NetWrixs Security and Compliance
EventSentry blog/2011/06/eventsentry-iphone-app-new- Auditing Solution
traps. The SNMP v29.html. NetWrix released a new version of its
Change Reporter Suite, a change-auditing

44 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

NEW & IMPROVED Pauls Picks
SUMMARIES of in-depth epth
product reviews on Paul
Thurrotts SuperSite for

Microsoft Touch Mouse

PROS: Multi-touch functionality for Windows
in familiar form factor; OS X-like app switch-
ing in new Instant Viewer; BlueTrack accuracy
CONS: Requires Windows ; multi-touch is awk-
ward on mouse surface; ergonomic concerns
RECOMMENDATION: Appearing about
two years after Apples very similar Magic
Mouse, Microsoft Touch Mouse provides
solution that lets you track who made what (ERPM) solution with expanded cross-plat- multi-touch gestures for scrolling, window
management, and application switching,
changewhen and wherein the entire form discovery and propagation capabili-
as well as offering Microsofts vaunted
IT infrastructure to assist with security and ties; enhanced multi-factor authentication BlueTrack technology. But ultimately, it
compliance policies and regulations, such to protect privileged logons from key log- suffers from typical ergonomic issuesits a
as SOX, HIPAA and PCI. NetWrix Change ging, social engineering, and other attacks; bit smalland from the same problems that
Reporter supports many types of managed and greater flexibility to grant authorized dog Apples Magic Mousemainly that its
easier to perform multi-touch gestures on a
systems, including Active Directory (AD), IT staff immediate access to systems for
flat a screen or trackpad.
file servers, storage appliances (NetApp, servicing, configuration, and repair. The
CONTACT: Microsoft
EMC), Microsoft Exchange Server, SQL new ERPM two-factor authentication
Server databases, virtual and physical supports hard tokens, soft tokens, event DISCUSSION: See the review Microsoft
Touch Mouse, http://www.winsupersite
infrastructures (VMware and Microsoft), tokens, time tokens, six-digit tokens, eight-
SharePoint, and more. New features digit tokens, and token values delivered via mouse-140081.
include real-time change alerting, snapshot SMS or email. Find additional information
reporting, and enterprise-level scalability. at
Contact NetWrix at Big Nerd Ranch iOS Developer
ManageEngine Boosts On-Demand Training
Liebermans Enterprise Random Applications with AD Integration PROS: Excellent course materials and
Password Manager Update ManageEngine recently gave a boost to its instructors; distraction-free and immersive
Responding to the proliferation of On-Demand applications with AD integra- environment
high-profile data breaches in corporate, tion for ServiceDesk Plus On-Demand, CONS: Highly technical; aimed at very
financial, and government enterprises, the ITIL-ready cloud-based Help desk and experienced developers
Lieberman Software has updated its asset management solution, through the RATING:
Enterprise Random Password Manager OASIS Security Assertion Markup Language RECOMMENDATION: Yes, there are
(SAML). Single Sign-on enables users to many ways to learn iOS development,
now leverage the advantages of the single but this is dense, complicated stuff, even
for experienced developers, because of
sign-on capability provided by Windows
the vagaries of Objective C, the Cocoa
Integrated Authentication and access Touch frameworks, and Apples inscrutable
ServiceDesk Plus On-Demand with one less developer tools. The experts at Big Nerd
password to remember. A free 30-day trial Ranch can claim a legacy that includes
of ServiceDesk Plus On-Demand is avail- stints teaching Apples own developers. The
class is held in a rural Atlanta-area location,
able at
or you can bring Big Nerd Ranch to your
service-desk/signup.html. own location.
CONTACT: Big Nerd Ranch bignerdranch
DISCUSSION: See the review Achieving
Nerdvana With Big Nerd Ranch, http://www

InstantDoc ID 140379

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 45


vCloud Express
IT professionals are faced with endless
projects and administrative tasks, including
provisioning test virtual machines (VMs).
What if you could offload some test servers
to a cloud-based provider and unleash
developers to spin up new VMs at will? Or
what if you need to do extensive testing
and you have high resource demands or
you need isolated test machines? These are
some of the many use cases for VMwares
vCloud Express, a cloud-based virtualization
solution offered by both Virtacore Systems
and Terremark. Figure 1: vCloud Express web console
I purchased vCloud Express from Virta-
cores website. I used the web-based portal To access the servers the first time on there was no way to block the display of the
to enter my credit card and other basic any Windows machine, click the Console old password, which was confusing.
information to order the software. After less button for any server. Youre then prompted Cloning server groups or copying a
than 24 hours, my account was approved to download the VMware Remote Console server group is a handy way to template a
and logon information was emailed to me. Plug-in, a 21MB download thats used for group of VMs for rapid deployment or simply
After I logged on, I clicked the oversized connecting to VMs. For the console to install, to save a group of VMs. A cold-copy function
Create a New Serverr button, which launched Internet Explorer (IE) cannot be running. exists for each VM. However, snapshotting
a wizard to create a VM. Two public cloud After I installed the plug-in and clicked isnt supported.
locations exist: Virginia (the default for new Console to launch the VM I wanted, the Although vCloud Express is new and has
servers) and California; these locations are system launched the VMware Remote a few configuration kinks, it delivers a fast
represented by separate tabs in the easy- Console. I was impressed with the console VM connection, a speedy Internet connec-
to-navigate web console, which Figure 1 especially the mouse scrolling and keyboard tion, and a representative choice of prebuilt
shows. Options in the wizard include the operations; there was absolutely no mouse, VMs. This product is a solid option for IT pro-
vApp group (server group), server name and screen, or keyboard latency in my testing. fessionals looking for creative ways to meet
description, and which OS template to use. The robust performance made me feel like I the high demands of development staff, or
OS choices are various builds of CentOS, Red was using an RDP connection to the server. those who need access to test VMs.
Hat, Ubuntu, and Windows. For my testing, Performance was excellent. I ran InstantDoc ID 139998
I focused on Windows, which is available DCPROMO to create a domain in just a vCloud Express
in 32-bit Windows Server 2008 R2 (which few minutes. However, the speed to create
is natively 64-bit) or Windows Server 2008. or power up VMs varied dramatically. For PROS: Easy setup; quick deployment; wide
Unfortunately, no license options exist for example, powering up a VM took more than range of OS choices
workstation client installations or older 10 minutes one day but only a few minutes CONS: Uneven performance; no support for
server versions, such as Windows Server the next day. My VMs had plenty of proces- Windows Server 2003
2003which limits some testing. sor capacity. The default 50GB of disk space RATING:
After you select the OS, the next choice is for a Windows machine is adequate for
PRICE: Pay as you go, credit card only; price
the size of the VM, which defines the mem- initial provisioning, but it wasnt clear how
ranges from $.09 to $1.12 per hour for licensed
ory/disk/CPU combination. All machines to add storage space. Antivirus protection Windows-based servers, depending on memory
have two to eight virtual CPUs and memory isnt included, so I installed ClamWins open- and processor configuration
ranges from 1GB to 16GB; disk space is fixed source antivirus protection (www.clamwin
RECOMMENDATION: vCloud Express offers a
at 5GB. After I ran through the wizard, a VM .com), which worked for testing purposes. rapid path to a development/test environment
was created in a matter of minutes. The interface did have some quirks. for time- or resource-strapped admins who lack
I powered on the new VM, then I used For example, I changed the administrator a test environment or Windows licenses, or who
the supplied username and password password on a machine, but the software need a completely segregated test environment.
combination to log on. However, I couldnt didnt update the Virtacore web console that CONTACT: Virtacore Systems 888-573-7837
access the Internet. I checked the rudimen- displays the administrator password. Also,
tary firewall in the Virtacore web console,
but no firewall rules existed to filter traffic. I
Tony Bieda |
contacted Virtacore and a support engineer
quickly resolved the problem.

46 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Quest Softwares vWorkspace uses proprie- supports Microsoft System Center Virtual from both the local vWorkspace AppPortal
tary agents installed on existing servers and Machine Manager (VMM) 2008 R2; however, application and the vWorkspace web
virtual machines (VMs) to create a unified I was running VMM 2012 beta and couldnt interface. The client experience was quick
view of an organizations desktop virtualiza- connect vWorkspace to my management and intuitive. Quest enhancements such
tion environment. The software uses an serveralthough I could connect it directly as Adobe Flash redirection and support
enhanced version of Microsofts Remote to the underlying Hyper-V host. I wasnt for Microsoft RemoteFX worked well and
Desktop client to deliver a user environment running either VMware vSphere or Parallels produced a much slicker client experience
with a rich media and graphics experience, Virtuozzo in my lab. than is normally possible within a standard
with applications delivered seamlessly from Provisioning virtual desktops for VDI RDS environment.
any number of sources, such as Micro- accessibility was straightforward, but the vWorkspaces configuration is a little
soft Application Virtualization (App-V) or automated import again failed. I needed too manual, and the available wizards
Remote Desktop Services (RDS) servers. to manually install the management often arent very helpful, especially when
This user experience is consistent across agent, enable Remote Desktop, and allow something goes wrong. Its also something
multiple platforms, including non-Windows it through the firewall before vWorkspace of an all-or-nothing approach, with locally
platforms such as Linux and Apple iOS, could import the system for use in the installed hooks into every system, which
and is managed from a central vWorkspace vWorkspace environment. The vWorkspace makes ongoing maintenance overhead
administration console. system failed to push the agent to the difficult. However, vWorkspace delivers an
I installed the vWorkspace 7.2 MR1 workstation, despite being a member of the enhanced client experience thats nearly
connection broker in my Hyper-V lab on same domain and having access to domain impossible to achieve if you try to deliver
a Windows Server 2008 R2 system, with administrator credentials. your entire desktop virtualization solution
SQL Server 2008 Express pre-installed. The I was able to easily import users, groups, within the same vendor stack. vWorkspace
SQL Server installation is typically handled and computers from Active Directory (AD) supports a wide variety of platforms and
automatically by the product installer when into the vWorkspace farm in preparation for provides improvements in application deliv-
no local or remote SQL Server instance is assigning resources to them. In the world ery and client-side multimedia performance.
available, but this process failed, requiring of vWorkspace, a resource can be anything In addition, vWorkspace is well-positioned
me to install SQL Server manually. from a managed application on a Remote to enhance your existing virtualization
The vWorkspace connection broker runs Desktop host or VDI system to a drive map- investments rather than as a competitive
on Windows Server 2003 SP2 or later (x86 or ping to a wallpaper setting. Resources are replacement. Finally, the product unifies
x64) and requires SQL Server 2008/2005 or then assigned to individuals or groups of otherwise disparate vendor technology,
SQL Server Express 2008/2005 (x86 or x64). users to create a virtual desktop experience, making it a genuine value-add.
It supports Microsoft Hyper-V Server 2008 abstracted away from the underlying virtu- InstantDoc ID 140085
R2; VMware ESX 4.1, 4.0, 3.5 U4, 3.5, and 3.0; alization technology, with the vWorkspace
and Parallels Virtuozzo 4.6, 4.5, and 4.0. system acting as the connection broker. Cli- vWorkspace
Like many similar products that provide ents then connect to these resources using
an open administrative framework, vWork- the vWorkspace client (an enhanced version PROS: Unifies a wide range of vendor technolo-
gies; high-quality vendor support
space takes a while to navigate and config- of Microsofts Remote Desktop client) or
ure, although the UI will be comfortable to vWorkspace Web Access. CONS: Significant manual configuration of hosts
anyone familiar with the Microsoft Manage- I was able to create some Hyper-V work- and virtual desktops; unhelpful errors
ment Console (MMC) or Microsoft System station resources and assign them to users, RATING:
Center products. The admin console also but I ran into several problems accessing
PRICE: $219 per user, with 12 months of main-
comes with a Quick Start Wizard to quickly them, due to Network Level Authentication tenance and 24 7 Business Critical Support;
import virtual desktops, Remote Desktop (NLA) configuration issues on the worksta- government/education pricing also available
(RD) Session Hosts, or blade PC systems. tions. Quest was able to replicate the prob-
RECOMMENDATION: I recommend vWork-
Theres also plenty of offline documentation. lems and assisted me via WebEx sessions to space to any company looking to maximize ROI
Unfortunately, the automated provision- overcome them. I was then able to create on existing desktop virtualization technologies
ing process assumes that youve already and assign an RDS server and applications. and deliver an improved and more productive
prepared the various host systems by install- From a standalone Windows 7 worksta- user experience.
ing the vWorkspace Connector and opening tion, I was able to access the Hyper-V work- CONTACT: Quest Software 949-754-8000
the relevant TCP ports in the firewall. I stations, terminal server, and applications
hadnt done this and therefore received
network failure errors. After I installed the
James Bannan |
agent software and opened the firewall, the
import completed successfully. vWorkspace

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 47


Dell KACE K2000

The Dell KACE K2000 is a client OS deploy-
ment appliance that supports both Mac OS
and Windows OS images. The K2000 comes
as a 1U rack-mounted server. You can also
deploy the K2000 as a virtual machine (VM)
in a VMware environment. Because it runs a
version of the BSD UNIX OS, the K2000 isnt
supported on Microsofts Hyper-V platform.
The K2000 uses a file-based imaging
technology known as K-imaging. One ben-
efit of K-imaging is that when you capture a
new image, only data that hasnt previously
been captured is transmitted to and stored
on the unit. This technology minimizes the
amount of time subsequent OS image cap-
tures take, as well as reduces the amount of
Figure 1: KACE administration console
space you need to store multiple OS images.
The K2000 uses a web-based adminis- fully automate the task of performing a appliance. There are also links to the KACE
tration console, which Figure 1 shows. This wipe and load migration from Windows XP support website, which hosts video tutorials
console means you dont have to install to Windows 7, while retaining user data. and FAQs. Customers also get several hours
software locally on the computer you use Although its certainly possible to do this setup and deployment training from the
to manage OS deployment. The console is using MDT 2010 and Microsoft System vendor to ensure that they arent thrown
straightforward and well-designed. When Center Configuration Manger (SCCM) 2007 completely in the deep end when the prod-
preparing an OS deployment, you drag and R3, the process is complicated and can take uct arrives.
drop tasks, such as disk partitioning and time to get right. InstantDoc ID 139871
user state migration, into the order you want The K2000 supports driver harvesting,
them completed. The K2000 console stream- allowing you to rapidly populate the device Dell KACE K2000
lines what can be a complicated and arcane with all the drivers used in your organization.
task in other products. You can also configure computer inventory PROS: Makes OS deployment tasks straight-
If your organization uses only Windows tasks, which lets you verify that a specific forward, including post-installation application
deployment; allows Mac OS deployment; simpli-
desktops, you can use Windows Deployment hardware configuration can be upgraded
fies building complex tasks, such as user state
Services and the Microsoft Deployment Tool- before the OS image is deployed. You can migration
kit (MDT) 2010 to accomplish most of what leverage the K2000s built-in DHCP server
CONS: Difficult to justify purchasing a separate
the K2000 does. Where the K2000 adds value to support Preboot Execution Environment
product for organizations running only Windows
is that it sits on top of these tools, providing (PXE) deployments, or you can integrate the desktops and already licensed for Microsofts
you with an optimized way of accomplish- K2000 with your existing DHCP infrastruc- System Center suite
ing the same tasks. For example, the User ture by configuring the appropriate DHCP
State Migration Toolkit (USMT) is a powerful options.
command-line utility that lets you migrate For organizations that have mul- PRICE: $5,466 for 100 nodes and 1 year of sup-
port and maintenance; $20,599 for 1,000 nodes
user data from one computer to another in tiple sites, rather than deploy a full K2000
and 1 year of support and maintenance; $40,006
desktop upgrade or replacement scenarios. appliance to each site, you can deploy a for an unlimited site and 1 year of support and
The drawback of the USMT is that to fully stripped-down K2000 remote site appliance, maintenance
leverage the tool, you need to become which is a VM in open virtualization format,
RECOMMENDATION: If your organization
conversant with some obtuse command-line as a way of scaling out your deployment wants to improve OS deployment and user
functionality and XML file configurations. infrastructure. state migration and isnt eligible for the System
The K2000 insulates you from all of that, The K2000 product documentation is Center suite, or you need to automate Mac OS
letting you fully leverage the power of USMT available from the web console. The docu- deployment, the KACE K2000 can make your life
significantly easier.
without having to get into the nuts and mentation provides useful walkthroughs
bolts of using the command line correctly. for all the tasks you can perform with the CONTACT: Dell 877-646-8366
You still need these tools, but the K2000
makes them easier to use.
Orin Thomas |
One thing I liked about the product
was that its relatively straightforward to

48 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


An end-user perspective of the leading cloud office suites

by Zac Wiggy

lot of the benefits of moving to the cloud are on the its aimed at employees in an enterprise who wont be working on
back endsuch as reduced support costs, simpli- machines of their own. At $16 a month, Microsofts enterprise plan
fied storage architecture, and trading up-front costs (Plan E2) gives access to Microsofts web apps. The companys $27
for long-term expenditures. However, there are a month plan (Plan E4) includes licenses for Microsoft Office and
numerous benefits to end users, and theres less of a enterprise voice capability. Microsofts structure includes numer-
tradeoff in features than Id thought. For starters, files ous options, including plans aimed at small businesses.
are stored in simple web interfaces instead of in obscure shared Microsoft loses on price herethe companys least expensive
network drives, and collaboration is easier. Working from multiple plans will work for you only if your employees have simple, specific
machines no longer involves emailing files to yourself. Microsoft needs. In contrast, Googles inexpensive offering gives your users a
and Google are both giving their online office suites a lot of effort functional cloud office suite. But you can get a lot more from Office
and because these services are in the cloud, theres no reason the 365 if you pay for it, and at the high end it can act as a good chunk
companies cant update their offerings constantly. of an enterprise-class infrastructure. These IT-level options are
Still, your users will have to make some sacrifices if you go with outside the scope of this review, but know that theyre available.
a cloud office suite. Traditional on-premises office suites (mainly
Microsoft Office, but also its open-source competitors) are remark- Overall Experience and File Management
ably advanced and have tons of features. Even though the average Getting started with Google Apps is simplejust go to Googles web-
user probably wont use most of these advanced features, youre site. Using Office 365 requires you to install some software. You need
likely to have users who will miss certain features if you move to a browser plug-in, and you have to install Microsoft Lync for com-
web apps. And no matter how good your online office suite tools munication. You can use Microsoft Outlook or Outlook Web App
are, Internet access goes down unexpectedly sometimes. Consider (OWA) to connect to Office 365. Be careful if youre using an existing
these pros and cons carefully before deciding to move ahead. Microsoft Exchange Server infrastructure, thoughLync replaced
Microsoft Office 365 and Google Docs are the two main players Microsoft Office Communicator on my machine and wouldnt con-
in online office suites right now. These two suites provide funda- nect to my organizations Communicator infrastructure without a
mentally different experiences for end users. Office 365 is primarily registry hack. Outlook 2007 also refused to connect to both Office
meant to tie into traditional, locally installed copies of Microsoft 365 and the companys Exchange server at the same time.
Officeand thats where your users are likely to do most of their When you sign up for Office 365, you get a subdomain of
work. Google Docs is all about working in browsersyou can import (I got Go to your site
and export Office files, but web apps are Googles focus. In this com- and click Member Login to obtain access. After you log in, youre
parison, I look at both suites from a users perspective. presented with your recently used documents as part of your
SharePoint Team Site. Getting to your documents is easy, but doing
Price and Licensing anything else to your site will probably require administrator inter-
Microsoft and Google have very different philosophies in their licens- ventionas someone without Microsoft Office SharePoint Server
ing practices. Google is simple: Google Docs is targeted at individu- experience, I found trying to change site settings difficult.
als, and its free. You get access to all the web apps, and you can use all Office 365s extra SharePoint features dont hinder users, but
the Google productsGmail for email, Google Talk for communica- Google provides a simpler interface. With Google Docs, you just have
tion, and so on. For $5 per user per month or $50 per user per year, the documents. Both suites make it easy to decide who has access to
you can use Google Apps, which includes Google Docs and gives you your documents and let you share them with outside users.
extra storage, support, and a service level agreement (SLA). Google supports most major browsers for Docs. Office 365,
Microsofts plan structure is much more complicated. At the however, doesnt support Google Chromeyou can view docu-
low end, Microsofts kiosk worker plan (Plan K1) is $4 per month. ments, but you cant use the web apps, nor can you send a docu-
This plan is mostly email and a place to store files for collaboration; ment to your local copy of Office from Chrome.

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 49

has improved dramatically in the past few
years, with most basic Excel formulas easily
replicated. Google spreadsheets also sup-
ports more advanced spreadsheet features,
such as pivot tables, charting, and image
embedding. I would miss some of Words
features if I switched completely to Google
Docs, but I dont think Id miss Excel.
Office 365 beats Google Docs hands
down for presentationsor at least for
Figure 1: Google Docs home page
viewing previously created Microsoft
Google Apps/Google Docs use in a word processor that isnt available PowerPoint presentations. I tried two dif-
in the web apps is change tracking, and the ferent PowerPoint presentations in both
PROS: Inexpensive; accessible from almost collaboration features in both suites can apps: a Microsoft deck from a trade show
any device with a browser; advanced web probably substitute for most applications. and a relatively simple single slide with text
As far as spreadsheets go, Google has an labels. Office 365s slides looked the same
CONS: Missing some advanced features from edge over Microsoft. You cant right-click in as in the desktop version of PowerPoint
locally installed applications; flawed PowerPoint the Microsoft Excel web app, which I do fre- and wouldve been usable for a presenta-
file support
quently, for tasks such as resizing rows and tion. In Googles tool, however, they were a
RATING: hiding and unhiding them. This last func- messsome images were missing, in some
PRICE: $5 per user per month or $50 per user tion is especially importantI know plenty places the text was completely unreadable,
per year of people who use Excels hide function to and even the simple slide had the labels
RECOMMENDATION: If your users dont need
make it easier to look at parts of a spread- formatted incorrectly and moved around.
advanced office suite features, Google Apps can sheet, and as far as I can tell, theres no way In Docs favor, the Google web app could
provide what you need at a low price. You might to use hide in the Office 365 web apps. If actually edit the text on all the slides,
need things Google doesnt provide, though, so you import a document with hidden rows whereas in Microsofts case, text sometimes
be aware of its limitations. or columns created in the offline version of seemed to be stuck behind images and I
CONTACT: Excel, you cant change or view the hidden couldnt figure out a way to change itas
parts without going back to offline Excel. far as I could tell, theres no way to move
Googles spreadsheet app doesnt work things forward or backward.
Web Apps exactly the same as in Excel, but I found I wont go into the email or calendar
With Office 365, you can use a locally installed it easy to transition to using it. Support features of the two servicesyou probably
copy of Office instead of the web appsin for Excel formulas in Google spreadsheets have some experience with both Outlook
fact, many of Office 365s subscription plans
require you to do so. I tested Office 365 with
Office 2007, and it worked fine. Youre basi-
cally working with documents as usual, but
theyre saved to Office 365 instead of your
local machine. (For a complete list of the
available plans and details about which plans
include access to web apps and which require
locally installed copies of Office, see www
small-business/email-calendar.aspx, www
solutions/enterprise-plans.aspx, and www
Both Google Apps and Office 365 pro-
vide functional word processors as web
apps, and its difficult to pick a winner
between them. I prefer Googles interface,
but its mostly just a matter of taste. The
Word web apps interface seems sparse
because the ribbon interface looks odd with
only three tabs. The only feature I regularly Figure 2: Oce 365 team site

50 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

and Gmail. For mobile support, Google Use Cases
definitely leads in my book. Googles web With Office 365, Microsoft basically offers and user friendly. Neither product is bad,
apps work very well on my Android phone, its server room infrastructureExchange and both deliver on what they promise, as
with mobile-specific features to make view- and SharePointmoved into the cloud. long as youre willing to live with their limi-
ing and working with documents easier. Users get the same experience theyd get tations. My recommendation depends on
Office 365 wouldnt work at all on my with a simple, local installation of Office, what your company needs. If your employ-
phone, howeverfor now, Office 365 plays but with some perkscollaboration and ees use all the advanced features of Word,
nice only with Windows Phone 7. version tracking are easier, for example. or if you want all the advanced meeting and
Users can view files from a browser, but calendar features you get with Exchange
Microsoft Office 365 light editing or working with text docu- and Lync, Office 365 is the best choice. But
PROS: Tightly integrated with offline Office ments is about all you should plan on if you dont need every feature in Office,
applications; advanced meeting features; big- users doing from anything other than their youd save big money by going with Google
business infrastructure for smaller businesses work PCs. Apps and Docsand you wouldnt have to
CONS: Relatively expensive and complex licens- With Google, you get a lot closer to what worry about licenses for Office. Plus, youd
ing; limited device and browser support; limited I think of as working in the cloud. Theres give your employees the option of working
web apps no local application to install, and you can from pretty much anywhere.
RATING: work from pretty much any device with InstantDoc ID 140011
a browser. Your users can sign in with a
PRICE: From $4 per user per month to $27 per
user per month Google account and work from their work
PCs, friends computers, Linux machines, Zac Wiggy
RECOMMENDATION: If your users need all the (
phones, or tablets. Googles web applica- is the former products editor for
features you get from using full Office applica-
tions, and if multiple device support isnt too tions beat Microsofts, but you dont have Windows IT Pro and SQL Server
tight integration with local applications. Magazine. He has more than seven
important, Office 365 is a good choice.
years experience as a technology
Both companies products seem, at this journalist, newspaper reporter,
point, like early versions, with a few kinks and editor.

52 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Windows Scripting
Improve your scripting experience by using a multi-featured
Windows script editor
by Anne Grubb

heres a lot to be said for being a do-it-yourself (DIY) Quest Softwares PowerGUI Pro, which is strictly for PowerShell
type. In the IT pro world, the person overseeing IT scripting.
operations often wears multiple hats (system, network, There are, of course, other features to consider besides what
phone admin, Help desk) or, at the very least, has a languages an editor supports. Color-coded syntax is, by now, a
limited budget for investing in new products. In such standard feature and is found in all the scripting editors included
environments, being unafraid to roll up your sleeves in this buyers guide. Debugging support and autocompletion
and script your own solutions for IT task automation, monitoring, (i.e., the editor completes the command or phrase after the user
and deployment is a big plus. types the first few characters) are also standard in most of the
But even the most dedicated DIYers can benefit from using editors listed. Another feature to consider in a scripting editor is
a state-of-the-art Windows scripting editor, instead of banging whether the product lets you set breakpointsa useful capability
out code in a basic text editor such as Microsoft Notepad. The for debugging.
13 scripting editor products offered by 10 third-party vendors File-comparison and source-control support are two addi-
listed in the table on page 54 provide capabilities geared toward tional features that might be important to you, especially if
simplifying the coding, debugging, and maintenance of admin- youre working on a multi-person IT team or in a development
istrative scripts and make creating scripts an easier, more effi- environment in which multiple versions of files are likely to exist
cient experience than using a plain-vanilla text editor. Note that if scripts or other programs are written and maintained by vari-
the guide excludes free, open-source editors (e.g., the popular ous people. File comparison, as its name implies, compares files
Notepad++). and then reports the differences (e.g., dates, folder structure, text
changes). Source control, or version control, manages multiple-
Whats in a Windows Scripting Editor? user changes to a program, file, or document to avoid conflicting
What important features should you look for when evaluating a changes.
Windows scripting editor product? If youre performing admin-
istrative scripting tasks in a Windows Server environment, youre Beyond Editors
likely performing them using Windows PowerShell, which is Two products that also deserve mention arent strictly code-
the de facto scripting environment for a number of Microsoft editing tools but can be considered as alternatives to traditional
products. So if your scripting language of choice is PowerShell, scripting editors. The first product, Quest Softwares PowerGUI
youll want to make sure that the scripting editor supports Power- Pro, provides many basic editing features, but the products pri-
Shell, as well as any other scripting languages (e.g., VBScript, mary purpose is to provide a graphical PowerShell administrative
JavaScript) that you intend to use for scripting or even develop- consolethat is, a means to help IT administrators avoid writing
ment tasks. PowerShell code. PowerGUI Pro is included in the buyers guide
Most of the editors in this buyers guide support PowerShell, list.
and many of them support VBScript and/or JavaScript, which The other product, ScriptLogics Desktop Authority (Script-
are popular languages in Windows scripting. Some of the prod- Logic is part of Quest Software), provides a scripting alternative
ucts support other scripting languages, such as ES-Computings by automating IT desktop administrative tasks (e.g., password
EditPlus and Just Great Softwares EditPad Pro, both of which management, software and update deployment) without the use
support PHP, Perl, Python, Ruby, JavaScript, and VBScript of logon scripts. (ScriptLogic declined to be included in the buyers
(EditPad Pro also supports PowerShell). Noteworthy in regard guide.)
to language support is SAPIEN Technologies PrimalScript 2011, Finally, a product submitted for inclusion in the buyers
which supports more than 40 scripting and programming lan- guide, Alexey Martseniuks PowerShell SE, is in beta and
guages. On the other end of the language-support spectrum is therefore isnt listed in the guide, which includes only released

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 53


Company Product Price Platforms Supported Hardware Requirements Scripting Languages Debugging?

Adersoft VbsEdit $59 Windows XP or later; N/A VBScript Y

33 140 261 741 Windows Server 2003
www.adersoft and later
HtaEdit Ships with XP or later; Server 2003 N/A VBScript/JavaScript Y
VbsEdit and later

ES-Computing EditPlus $35 Windows 7/Vista/XP; 1GHz or higher processor, 1GB PHP, Perl, Python, Ruby, JavaScript, N Server 2003 of RAM VBScript

FastTrack Software FastTrack $450 Windows 7/Vista/ 400MHz, 256MB RAM, 50MB Properietary language Y
www.fasttrack Scripting Host XP/2000/NT4; Windows free disk space Server 2008/2003 and
Windows 2000 Server
Idera Idera $199 per user Windows 7 (x86/x64), N/A PowerShell scripts and modules, Y
713-523-4433 PowerShell Vista (x86/x64), XP SP3 XML, HTML, C#, VB.NET, VBScript, Plus and later (x86/x64); Server batch files, plain text and snippets
2008, Server 2003 SP2
and later (x86/x64)

IDM Computer UltraEdit $59.95 XP and later; Linux; Mac XP or later system Any (general text editor) N
UEStudio $79.95 XP and later XP or later system Any (general text editor) Only with WinDbg

iTripoli Admin Script $99/$199/$299 XP and later 8MB RAM, 200MB free disk PowerShell, VBScript, KiXtart, Y
866-263-0774 Editor editions space AutoIt, Batch

Just Great EditPad Pro $49.95 for Windows 7/Vista/XP/2000 N/A JavaScript, VBScript, Perl, PHP, N
Software 1 user PowerShell, Python, Ruby
Quest Software PowerGUI Pro $199 per seat, PowerGUI Pro: Windows PowerGUI Pro: CPU: 1GHz 32-bit PowerShell Y
949-754-8000 perpetual 7, Vista SP1, XP Pro SP3; or 64-bit; memory: 1GB; disk license; all Server 2008/2008 R2, space: about 70MB for the setup
prices include Server 2003 SP2/R2 SP2 and extra disk space for user
license fees profiles
fi and PowerPacks not
and standard MobileShell: Computer included in setup
first-year or iPad; iPhone 4/3Gs/3G
maintenance and other mobile devices; MobileShell: Supported
BlackBerry OS 6.0 and 5.0; platforms: Intel x86, AMD64, or
Android OS 2.2 and 2.1; Intel 64 (EM64T); memory: 1GB
Windows Phone 7 of RAM for server and an extra
100MB of RAM per user session;
disk space: 75MB
SAPIEN PrimalScript $299 Windows 7 (any edition) 120MB free disk space, 1GB PowerShell, VBScript, JavaScript, Yes for PowerShell,
Technologies 2011 32- and 64-bit versions, of RAM, processor capable of ActionScript, System Policy Editor, VBScript, and
707-252-8700 XP SP3; Server 2008/2003 running XP Flex, AutoIt, ASP, ASP.NET, AWK, C, JavaScript C++, CH, CSS, IDM, CFML, Batch,
C#, Flash, HTML, HTA, Install Script,
Registry Files, INI Files, Java, JScript,
JSP, KickStart, LotusScript, LUA, Pas-
cal, Perl, BASH, PHP, Python, REBOL,
Rexx, Ruby, SQL, TLC, VB.NET,
WinBatch, XML
PrimalForms $299 Windows 7/Vista/XP SP3; 120MB free disk space, 1GB PowerShell Yes with watch, call
2011 Server 2008/2003 of RAM, processor capable of stack, variables, and
running XP separate PowerShell
Debug Console ExeScript From $99.95 Windows 7/Vista/XP; Approximately 20MB of free PowerShell, VBScript, JScript, Y
866-708-0900 Editor Server 2008/2003 disk space; processor capable of windows command shell (.bat and
www.scriptcode running Windows 2000 .cmd), WSF, WSH, HTA, Object Rexx,
.com PerlScript, Python

products. However, the tool is worth a A Spectrum of Prices and Capabilities Adersofts VbsEdit/HtaEdit companion prod-
mention because its somewhat different As youll find in the buyers guide, script- ucts, and IDM Computer Solutions UltraEdit
from other PowerShell editors, in that its ing editor offerings fall within a spectrum and UEStudio, to the mid-range Idera Power-
based on the built-in Windows PowerShell comprising at one end lightweight products Shell Plus, iTripolis Admin Script Editor, and
Integrated Scripting Environment (ISE) with a few enhanced editing capabilities, ScriptCode.coms ExeScript Editor, to higher-
and is essentially a customized ISE. such as Just Great Sofwares EditPad Pro, end products such as SAPIEN Technologies

54 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Set Break- Auto- Color-Coded File Source-Control Other Editor Features

points? completion Syntax? Comparison? Support?
Y Y Y N N Code snippets, samples, object browser, can convert script into

Y Y Y N N Code snippets, samples, object browser, can convert HTAs into


N Y Y N Y FTP and SFTP, code folding, integrated web browser

Y Y Y N N Context help, script save validation, auto encryption

Y Y Y N In version 4.1 Integrated library management, community script search/publish,

sample scripts, code snippets, variables watch list, error list, code signing,
code folding, bookmarks, scripting tutorials

N/A Y Y Y Yes (via user tool) See

Y Y Y Y Yes (integrated sup- See

port and user tool)

Y Y Y Y N Integrated form designer, drag-and-drop script builder, database code

builder, ADSI code builder, WMI code builder, XML code builder, script
packager, and more (see
N N Y Y N Support for other scripting languages can be added by the user to the
same level as the languages for which EditPad Pro has built-in support,
by creating syntax coloring and fi
file navigation schemes based on
regular expressions
Y Y Y N Works with various Syntax highlighting, IntelliSense, code snippets, block indent, block
version-control sys- comment, bookmarks, AutoRecover, code folding, viewing definition
fi of
tems (Microsoft Visual functions, and others
SourceSafe, Microsoft
Team Foundation
Server, Subversion
with the

Y Y Y Yes, through Y Multi-platform support, 64-bit PowerShell debugger, 64-bit VBScript/

included JScript debugger, dynamic Help window, platform-sensitive PowerShell
PrimalMerge PrimalSense, standard XML snippet format, multiple embedded shells
application (e.g., PowerShell, Cmd, Bash), debugger meta comments, elevated script
debugging, visual change tracking, SAPIEN Document Explorer, and

Y Y Yes, with Yes, through Y Forms designer, 32-bit and 64-bit PowerShell consoles, supports 32- and
automatic syntax included 64-bit PowerShell, Script Packager with encryption, elevated privileges,
checking PrimalMerge manifests and version info, separate debug console, VS-compatible code
application snippets, integrated PowerShell Help, WMI browser, PowerShell browser,
.NET browser, multi-form project creation, form templates, and others
Y Y Y N N Fully integrated script development environment, full Unicode support,
powerful script debugger, script protection, context-sensitive reference,
built-in object browser, numerous samples

PrimalScript and FastTrack Softwares Fast- fine. But if youre working in a larger IT envi-
Track Scripting Host, which offer a fuller ronment creating and managing hundreds
Anne Grubb
complement of editing capabilities plus other of management scripts, the higher-end, full- former content manager of
features. If youre a one-person IT organiza- featured scripting editor solutions ought to DevProConnections, is a freelance
writer and editor based in Colorado.
tion on a tight budget, any of the lower-priced be within your purview.
products will probably serve your needs just InstantDoc ID 140285

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 55


Social Networking Mobile System Center Orchestrator


6 Reasons Why Google+ Will Succeed

Google+ has been available for several of Googles attempts to bake more social Google Apps under the radar of corporate IT
months, and Ive spent some time playing media factors into search and determine the to share and collaborate on documents and
with the service. After fiddling with circles, social value of individual websites. spreadsheets in the cloud. Why wouldnt
sparks, and huddles, Ive come down on they consider using Google+ to collabo-
the side of those who think Google+ is here 3. Google+ Everywhere rate and exchange information even more
to stay, and that it brings some new and While Google may have been late to closely, especially when Google+ is available
innovative features to the table. Yet while embrace social media, the Google+ strategy for free with a standard Google account?
Google+ competes with existing social intends to leverage all of the companys The advent and adoption of Google+ in
media platforms on some level, Id argue strengths in a way that previous efforts the enterprise may make things difficult
that Googles ambitions for Google+ go far havent. I believe Google intends to embed for pure-play social enterprise vendors like
beyond simply competing with Facebook. Google+ support across its entire prod- Yammer very quickly.
uct family, from Google search to Gmail,
1. Its Not Facebook YouTube, and beyond. In this sense, using 5. Business Value Trumps Novelty
Some bloggers and pundits have already Google+ isnt analogous to adopting yet Every business on the planet has a vested
dismissed Google+ as a poor clone of another social media platform, as Google interest in doing well in Internet search
Facebook. While Google+ does have some is simply adding Google+ functionality to rankings, and Google has made it very clear
features that are comparable to Facebook, services were already using. Capitalizing that Google+ and the Google +1 feature
it isnt fair to dismiss it as a feature-for- on your strengths is always a valid business will have an impact on search. Perform-
feature clone. Granted, Google+ cant match strategy, one that Apple and Microsoft have ing poorly in Google search can result in
Facebooks impressive 750 million user base, been especially effective at employing. millions of dollars in lost revenue for some
and I doubt it will ever usurp Facebook as companies, so the pressure on businesses
the social media platform of choice for post- 4. Consumerization Is Driving the IT to embrace this trend will be overwhelm-
ing photos of Hummel figurine collections, Agenda ing. Companies are already bolstering their
reports of embarrassing office parties, or The adoption and use of computing devices social efforts on Twitter, Facebook, LinkedIn,
serving as the online soapbox of choice we and services intended initially for consumer and other emerging social media platforms
all use to tell our own airbrushed versions of use in the enterprise is increasing, and to help boost their search results, and that
reality. (Those of you who have neverr used Google is one of the companies leading the trend will undoubtedly continue.
Facebook to post pictures of your kids, brag charge. Microsoft has been forced to react
about a recent vacation, or subtly tried to let to this change, with the recent unveiling of 6. Unique Features
everyone know how great of a person you Office 365 and the long-overdue move to Google has clearly done its homework with
are can be excused. Still here? I thought so.) Windows Phone 7 being responses to the the features offered in Google+, with at
success of consumer-focused cloud services least two of themcircles and huddle
2. Social Is the New Search and mobile devices, respectively. Google is being singled out most often for praise by
Part of that broader ambition for Google+ embracing and driving this trend perhaps early adopters. Circles is a much easier and
is improving Google search, which has suf- more than any other vendor, with Gmail and more effectively implemented method of
fered an increasing amount of criticism over Google Apps for Business and Education managing your online relationships with
the past 12 months concerning deteriorat- in the cloud space, and Google Android in different groups of people, and huddle is a
ing search result quality. Google is continu- the smartphone market. Amazon may chal- group video and text messaging feature.
ally updating its search algorithm to provide lenge Google in the cloud arena, and Apple
better search results, and part of that is a strong competitor in the mobile space. Have you taken the plunge into Google+
improvement includes the addition of social Google has emerged as a driving force in yet? Let us know what you think of
media factors. More people than ever are the consumerization of IT, and Google+ has Googles latest product offering by starting
using social media to select and distribute the potential to have more of an impact in up a discussion on Twitter (@jeffjames3).
online content to their friends, and Google+ the enterprise than Facebook. Consider this: Jeff James
(and the new Google +1 feature) are two Millions of business users are already using InstantDoc ID 140164

58 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Smartphone App Addiction: It Could Be a Good Thing

MTV Networks, along with Latitude life better by improving productivity, and download a free app is governed largely by
Research, recently released a new study thereby creating free time and opportuni- user and personal recommendations.
about smartphone app usage. (To learn ties for positive discovery. Finally, apps pro- 3. TrialAfter youve downloaded that
more about the study, visit vide exposure to new thingswhatever new app, youve got to test it out and see
The research involved a survey of more that might mean in this context. if it lives up to expectations. However, a
than 1,300 people who reported using The second key finding describes a significant portion of downloads appear to
apps daily, as well as in-depth interviews typical four-stage app life cycle: be deleted within 3 weeks. Of those apps
with app consumers. The key findings of 1. DiscoveryThe study points out that are kept, many users report check-
this research fall into two areas. The first that most app discoveries are a result of ing that app at least once a day. In certain
area has to do with how our app addiction recommendations, which include personal categories (gaming, entertainment), those
is changing our daily livesand, at least in recommendations from someone you apps are being opened several times a day.
the way theyve presented their findings, know and user reviews in the app stores Yeah, its an addiction.
changing them for the better. so, if you write such reviews, be honest 4. Abandonment or Long-Term
The study found that 83 percent of and write well; proofreading is so easy yet UsageThe final stage: Even an app that
respondents reported being addicted important! passes the trial stage might be abandoned
to apps. However, this app addiction is 2. AdoptionThe adoption stage is after its usefulness has passed. However,
presented as having a positive effect on when you make the decision to download apps that continue to provide new content
peoples lives in three distinct ways. In a an app. For paid apps, the price was a large or new experiences are likely to stay in
personal focus, apps allow intense person- determining factor in whether users chose regular use. Also, users want apps to be fun
alization and hyper-focus, filling our idle to download it; having a free or preview and entertaining.
moments with me time on-demand. Apps version available made the decision some- B. K. Winstead
are also described as making everyday what easier. The decision about whether to InstantDoc ID 140086

60 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m


Leverage SCSM to Allow End Users to Trigger

Orchestrator Runbooks
While you can think of Microsoft System product-specific tasks. Depending on the the recovery of a SQL Server database by
Center Orchestrator as the glue that binds IP, a task might be to create a new VM from leveraging DPM. You can then configure
the System Center suite together, Microsoft a template, recover a SQL Server database, SCSM so a portal page is available that lets
System Center Service Manager (SCSM) or get Data Protection Manager (DPM) to users perform database recovery. By linking
increasingly seems to be the front end protect a specific data source. SCSM to Orchestrator, you can query the
that makes it straightforward enough that Although you can use runbooks to DPM server to populate a drop-down list
anyone can initiate Orchestrator runbooks. heavily automate processes, in some situ- of available recovery points, allowing the
SCSM can do some very interesting things, ations you need to pass information to a portal user to specify which recovery point
primarily because its designed to fully inte- runbook for it to do anything. Examples he or she wants to recover from rather than
grate with other products in the System include the details of the virtual machine having to request a recover operation be
Center suite. (VM) template that you want to use to performed by a DBA or DPM administrator.
For those not up-to-date on provision a new VM using Microsoft System Leveraging SCSM, Orchestrator, and
Orchestrator nomenclature, a runbook is a Center Virtual Machine Manager (VMM), DPM, you can get all the back-end stuff
set of automated tasks that administrators or the details of the database that you working so that from the perspective of a
can put together. Its sort of like writ- want to recover using DPM. By hooking database user, database recovery becomes
ing a script, but instead of doing it all in SCSM into Orchestrator, you can create as simple as recovering a file from a folder
PowerShell, a drag-and-drop interface links forms in SCSM that let data pass directly to using the Previous Versions of Files func-
specific tasks together. When you build a Orchestrator. tionality.
runbook, you draw tasks together from For example, you could create a Orin Thomas
an Orchestrator IP. An IP is a collection of runbook in Orchestrator that allows for InstantDoc ID 140059

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 61

For detailed information about products in this issue of Windows IT Pro, visit the websites listed below.


1&1 Internet. . . . . . . . . . . . . . . . . . . . . . .56, 57, 59 HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Altova . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 IBM Corporation . . . . . . . . . . . . . . . . . Cover 2, 7 Quest Software. . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CloudITPro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 MobileDevPro . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Western Governors University . . . . . . . . . . . 60
Enow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Paul Thurrott Pocket App . . . . . . . . . . Cover 3

Exchange 2010 Essentials Workshops. . . .62 Penton Marketing Services. . . . . . . . . . . . . . 15 WinConnections Fall 2011. . Cover Tip, 24, 25

VENDOR DIRECTORY The following vendors or their products are mentioned in this issue of Windows IT Pro on the pages listed below.

Adersoft. . . . . . . . . . . . . . . . . . . . . . . . .54 HP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 ManageEngine . . . . . . . . . . . . . . . . . .45 Quest Software. . . . . . . . . . . . . . 47, 54

Apple . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Idera . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 MSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

SAPIEN TTechnologies . . . . . . . . . . . .54

Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 IDM Computer Solutions . . . . . . . .54 NETIKUS.NET . . . . . . . . . . . . . . . . . . . .44 . . . . . . . . . . . . . . . . .54
ES-Computing. . . . . . . . . . . . . . . . . . .54 iTripoli . . . . . . . . . . . . . . . . . . . . . . . . . .54 NetWrix . . . . . . . . . . . . . . . . . . . . . . . . .44

Twisted Pair . . . . . . . . . . . . . . . . . . . . .44

FastTrack Software . . . . . . . . . . . . . .54 Just Great Software. . . . . . . . . . . . . .54 Nexsan. . . . . . . . . . . . . . . . . . . . . . . . . .44

Google. . . . . . . . . . . . . . . . . . . . 6, 49, 58 Lieberman Software . . . . . . . . . . . . .45 Nimbula. . . . . . . . . . . . . . . . . . . . . . . . .44 Virtacore Systems . . . . . . . . . . . . . . .46


Search our network of sites dedicated to hands- Windows IT Pro VIP NEW WAYS TO REACH
on technical information for IT professionals. Get exclusive access to over 40,000 articles and WINDOWS IT PRO EDITORS: solutions on CD and via the Web. Includes FREE
access to eBooks and archived eLearning events, LinkedIn: To check out the Windows IT Pro
Support plus a subscription to either Windows IT Pro or group on LinkedIn, sign in on the LinkedIn
Join our discussion forums. Post your questions SQL Server Magazine. homepage (, select the Search
and get advice from authors, vendors, and other Groups option from the pull-down menu, and use
IT professionals. Windows IT Pro as your search term.

News Facebook: Weve created a page on Face-

book for Windows IT Pro, which you can access
Check out the current news and information SQL
Q SERVER MAGAZINE at: Visit our Facebook
about Microsoft Windows technologies. Explore the hottest new features of SQL Server, and page to read the latest reader comments, see links discover practical tips and tools. to our latest web content, browse our classic cover gallery, and participate in our Facebook discus-
Get free news, commentary, and tips delivered
automatically to your desktop. Twitter: Visit the Windows IT Pro Twitter page at
DevProConnections UPDATE
Exchange & Outlook UPDATE
Discover up-to-the-minute expert insights, infor-
Security UPDATE
mation on development for IT optimization, and
SharePoint Pro UPDATE solutions-focused articles at,
SQL Server Magazine UPDATE where IT pros creatively and proactively drive busi-
Windows IT Pro UPDATE ness value through technology.
WinInfo Daily UPDATE
SharePoint Pro
RELATED PRODUCTS Dive into Microsoft SharePoint content offered in
specialized articles, member forums, expert tips,
Custom Reprint Services and web seminars mentored by a community of
Order reprints of Windows IT Pro articles. Diane peers and professionals.
Madzelonka at

w w w. w i n d o w s i t p ro. c o m W e r e i n I T w i t h Yo u Windows IT Pro OC TOBER 2011 63

Send your funny screenshots, oddball product
news, and hilarious end-user stories to rumors@ If we use your submission,
by Jason Bovberg
youll receive a Windows IT Pro Rubiks Cube.

La month in this space,

we shared our favorite prod-
uct c of the year, a set of coffee
mugs immortalizing every-
b o
bodys favorite three keys on
ttheh keyboard. We thought
wed take a look around the
n and see what other
i of Ctrl+Alt+Del products
have been bought and sold in
the wild. And we found a number of fun Ctrl+Alt+Del-
themed things, from candy to rings to framed art to coast-
ers to pillows to switch plates to tee-shirts.
Its been over 35 years since David Bradley, an IBM
engineer, invented the command. Little-known fact:
Bradleys work required him to frequently power down
and restart his computer, so he created the shortcut to
save time. He never intended to make the combination
public, but IBM urged him to do so because it was so
useful. Later, Bill Gates included Ctrl+Alt+Del as part
of the logon procedure. Bradley has said, I may have
invented Ctrl+Alt+Del, but Bill Gates made it famous.

October 2011 issue no. 206, Windows IT Pro (ISSN 1552-3136) is published monthly. Copyright 2011, Penton Media, Inc., all rights reserved. Windows is a trademark or registered trademark of
Microsoft Corporation in the United States and/or other countries, and Windows IT Pro is used under license from owner. Windows IT Pro is an independent publication not affiliated with
Microsoft Corporation. Microsoft Corporation is not responsible in any way for the editorial policy or other contents of the publication. Windows IT Pro, 748 Whalers Way, Fort Collins, CO 80525, (800)
793-5697 or (970) 663-4700. Sales and Marketing Offices: 748 Whalers Way, Fort Collins, CO 80525. Advertising rates furnished upon request. Periodicals Class postage paid at Loveland, Colorado, and
additional mailing offices. POSTMASTER: Send address changes to Windows IT Pro, 748 Whalers Way, Fort Collins, CO 80525. SUBSCRIBERS: Send all inquiries, payments, and address changes
to Windows IT Pro, Circulation Department, 748 Whalers Way, Fort Collins, CO 80525. Printed in the USA.

64 OC TOBER 2011 Windows IT Pro W e r e i n I T w i t h Yo u w w w. w i n d o w s i t p ro. c o m

Dan Holme: SharePoint folks, were being heard! p.3

SharePoint 2010 Learning to Love PowerShell

Lessons Building Public-Facing

SharePoint 2010 Sites

Learned 15 SharePoint Branding Tips

SharePoint 2010

Backup and Recovery

Buyers Guide:
Management Solutions

October 2011


3 Guest Editori
by Dan Holme

0 SharePointt Q&As
by Ethan Wilansk
Wilansky and Bart McDonough


5 What SharePoint Admins Need to Know to Work with

SharePoint DevsAnd Vice Versa
From SLAs to custom code, admins and devs need to
understand their differing agendas, says Randy Williams.

Cover Stories:
SharePoint 2010
Lessons Learned Features

11 Designing SharePoint
Dan Holme dives into
24 15 SharePoint 2010 Branding Tips
Celina Baginski shows you insider tricks for smarter
SharePoint design.
governance, the cornerstone
to a successful SharePoint
implementationsharing 4 key
steps in creating a governance
30 SharePoint 2010 Backup and Recovery
Ron Charity walks you through how to create a SharePoint
backup and recovery plan to help minimize SharePoint
plan. downtime and data loss.

15 Using Custom Actions

to Empower SharePoint
Designer 2010 Workflows
Andrew Connell shows you how
Products and Reviews
to address SPD 2010 limitations
with the help of Visual Studio.
35 Buyers Guide: SharePoint Document Management

18 SharePoint
Admins Can Learn to
Love PowerShell
Caroline Marwitz explores third-party SharePoint document
management solutions that you can use to make SharePoint
work best to suit your organizations needs.
Find out how 3 key lessons
learned the hard way helped
Todd O. Klindtt finally get
Windows PowerShell.
39 New and Enhanced
SharePoint solutions and product news from Workshare,
Syncsort, and LOGbinder.

20 Implementing Custom
WCM Sites with
SharePoint 2010
Editors Note:
While working on Microsofts
SharePoint marketing website, We are pleased to be able to bring you this issue of SharePoint Pro
Todd Baginski learned many as a supplement to Windows IT Pro. We hope you find the additional
lessons about building public- content beneficial. While this is the last print issue of SharePoint
facing websites on SharePoint Pro, you can continue to access the same quality news and technical
2010among them, these 3. content on our website at

SharePoint Pro | October 2011 1

By Dan Holme

SharePoint 2 Years Later:

Kim Paulsen, Senior Vice President, Technology
Media Group
Shirley Brothers, Director, Developer Market Group

The Conversation Changes

Pegg Miller, Publisher
l Marwitz, SharePoint Editor and Content Mananager
Michael Otey, Senior Technical Director
Amy Eisenberg, Editor in Chief
ave Bernard, Group Editorial Director, Custom Media

Jason Bovbe
vberg, Anne Grubb, Megan Bearly Keller,

ctober 2009, Las Vegas: Microsoft unveils the latest version of Share- Lavon Peters, Brian
Bria Keith Winstead

Pointrebranded as SharePoint Server 2010. Significant architectural CONTRIBUTING EDITORS

changes for services and authentication. Major investments in business Andrew Connell, Dan Holme, Ethan Wilansky,
Kevin Laahs, Todd Klindt
intelligence (BI) and social networking. Customers wonder if SharePoint is ready
for prime time for enterprise content management and whether BI will be easier ART & PRODUCTION
Matt Wiebe, Senior Graphic Artist
than it was. Some ask, Why would I want Facebook-like features in my enter- Linda Kirchgesler, Production Director
prise? The few Microsoft Online customers ask when BPOS will be upgraded to
SharePoint 2010. Analysts expect strong adoption of SharePoint Server 2010. Jacquelyn Baille, Sales Manager
(949) 226-2313

October 2011, Anaheim: The company throws possibly the biggest (my guess, as of REPRINT SALES
press time) SharePoint event in historythe Microsoft SharePoint Conference 2011. Diane Madzelonka (216) 931-9268

Adoption of SharePoint 2010 is overwhelming. SharePoint is worth well over $1 billion, LIST RENTALS, MERITDIRECT
and Microsoft claims sales of more than 20,000 new CALs for SharePoint per day. 333 Westchester Avenue, White Plains, NY 10604
Marie Briganti (877) 796-6947
Kristen Killingback (914) 368-1062
Two years later, and my, how things have changed! The conversation is no lon- Chris Blohm (914) 368-1031

ger Is SharePoint ready for enterprise content management? It became Why CIRCULATION & MARKETING
does Microsoft arbitrarily limit us to support of a 200GB content database when Amanda Phillips, Marketing Director
Marie Evans, IT Group Director of Audience Development
we have terabytes of content we want to migrate to SharePoint from our file Customer Service ................
servers and [name your favorite competitive content management system]? Well
it wasnt arbitraryMicrosoft had to ensure it had done enough testing to stand Gary Brothers, Vice President, Operations
behind higher levels of support, and this year it had the resources to focus on Dan OConnell, Show Manager/Ofce IT Manager
Virdene Compton, Accounting/Marketing Manager
that task. Now the limits are sky high, as long as performance requirements are Heather Manson, Expo/Sponsor Manager
met (.25 2 IOPS per GB stored) and architecture and tools to support SLAs has Joan Poirier, Conference Show Coordinator
Stacey Lake, Marketing Associate
been considered. Karissa Heberger, Registration/Housing

And the conversation continues: What about records management and compli-
ance with [name your favorite regulation or policy]? Several ISVs have stepped
forward with solutions to fill the gaps. As enterprises realize that SharePoint has
become, or is rapidly becoming, a mission-critical content repository, the conver-
Sharon Rowlands, Chief Executive Ofcer

sation has changed: How do we reduce costs of storage and provide IT assur-
ance for this service, so that this content is recoverable in [name your favorite Nicola Allais, Chief Financial Ofcer
data corruption or disaster scenario]? Other ISVs stepped forward with solu-
tions for infrastructure management and IT assurance, including solutions that
leverage Remote BLOB Store (RBS), which after quite a bit of drama, debate, and
in-fighting within the community and within Microsoft itself, Microsoft has now
firmly stood behind as a real solutionwhen applied and architected correctly
to storage management.

Along the way, enterprises extended their collaboration on SharePointto dis-

tant and disconnected users, to customers, to partners, to vendors, and to the
general public. Huge pain points still exist in some of these scenarios, but one
of the many solutions is the cloud. In June 2011, Microsoft finally updated its
online offerings to include SharePoint 2010, rebranding it as Office 365, with
huge improvements but some painful gaps that Microsoft will be filling with
each update and, eventually, with Wave 15 (SharePoint vNext). t

SharePoint Pro | October 2011 3


The conversation is now, Is the cloud enterprise-ready? social featuresmicroblogging, better communitiesand
and, in the case of Office 365, the answer is highly depen- Ive seen customers doing very cool things with MySites,
dent on your business requirements and the specific appli- including moving traditional My Documents data to
cation. Exchangeprobably yes. SharePointin limited sce- users My Sites, which instantly enables web-based, device-
narios, maybe. Office 365 isaccording to Microsoftreally independent (iPad, anyone?) access to data.
about providing a heretofore-absent solution for SMBs.
Two years ago, we were handed an envelope stuffed with
Wave 15? Watch out! If Microsoft succeeds in boosting new features that were, in some cases, half-baked (UPS war
SharePoint vNext the same way it boosted Exchange 2010 stories, anyone?) and in other cases were not yet relevant
SP1 for the cloud, well be looking at a really amazing, to many. Today, weve torn into that envelope, and were
enterprise-ready story for public and private cloud, and pushing it further than Microsoft really envisioned.
(most importantly) hybrid SharePoint.
Ive observed Microsoft listeningto its customers, to ana-
BI? What I see in customers is adoration for PowerPivot lysts, to partners, and to its own innovators. Im optimistic
and Excel and less enthusiasm about everything else. I that this time next year well all be testing a version of
claimed that MOSS 2007s BI features were a diving board SharePoint that not only answers many of our concerns but
into an empty pool (using a metaphor from another MVP). also advances us further.
SharePoint 2010 seems to have filled the pool with water, InstantDoc ID 140176
but not many are swimming. Excel is where we do our real
analysis. I bet Microsoft has noticed now.

And social? The conversation now is far less Why or Dan Holme is an MVP in SharePoint Server and is the Chief
Were scared of [name your favorite fear of social network- SharePoint Evangelist for AvePoint. Connect with Dan and follow
ing] and is far more, We get it and we cant get enough his musings on Twitter @danholme. He still has email, but thats so
of it! Clever ISVs have stepped in to add critical missing last-decade.

4 October 2011 |

By Randy Williams

SharePoint DevsAnd
Vice Versa
From SLAs to custom code, admins and devs have different
agendas but a common goal

ver the past few years, the friction thats devel- is massive, it doesnt do everything. So we use custom
oped between IT administrators and developers code to enhance it by adding features such as custom Web
has diminished somewhat. But not everywhere. In Parts or custom workflow solutions. In some cases, a new
general, the adoption by businesses of process models such look and feel and new business rules are used to mold
as IT Infrastructure Library (ITIL) and Capability Maturity SharePoint into something quite different from the RTM
Model Integration (CMMI) has increased the maturity of version. The ability to plug in custom code is what gives
their operations. But one thing that hasnt improved is col- SharePoint this malleability. Have you ever wondered why
laboration between administrators and developers in the there are so many third-party software vendors selling
delivery of SharePoint. Ironic, considering SharePoint was SharePoint add-ins? Its precisely because of SharePoints
designed to foster collaboration. design as a platform.

Part of the reason is that SharePoint is still relatively new Problems with Custom Code
and not well understood. More significant still is that You might be thinking, How does custom code create
SharePoint isnt typically used just out of the boxits friction? In many ways, actually. Did you know that the
designed to be enhanced by custom code. In this respect, number-one factor behind SharePoint support issues is
SharePoint is also a technology platform. custom code? Custom code can introduce security vulner-
abilities. It can cause performance problems and can desta-
What does this mean? Lets compare SharePoint to bilize the farm. And it can complicate troubleshooting. For
Microsoft Exchange Server for a moment. Email is ubiqui- example, when you troubleshoot a web application thats
tous, and the way that its used varies little from organiza- throwing errors, its a challenge to isolate the source of the
tion to organization. Although email programs have many problemwhether its custom code, misconfiguration, or
important configuration options, you rarely use custom some out-of-the-box problem. Custom code can also affect
code to modify how the program looks or works. If you your ability to upgrade the program. Case in point: Some
have Microsoft Office Outlook and Exchange Server work- companies continue to run SharePoint 2003 because of the
ing correctly, youre set. pain and effort involved in upgrading. Custom code can
also complicate disaster recovery procedures. Case in point:
SharePoint is a different story. The way in which its used Replacing a crashed SharePoint web server is much more
varies widely, and the out-of-the-box product sometimes difficult if custom code has been introduced, especially if
falls short of actual business needs. Although SharePoint the code has been manually deployed.

SharePoint Pro | October 2011 5

F e a t u r e Admins and Devs

When business units expect a customized SharePoint expe- Also, use sandboxed solutions when possible. (See
rience, developers do their part by building it. However, SharePoint 2010 Sandboxed Solutions at www
administrators must support the customization. And if, InstantDoc ID 125632.) Sandboxed
the custom code introduces problems, the process creates solutions are .wsp files that can be deployed by anyone
friction. The solution to this dilemmaand the key to a who is a site collection administrator. These packages dont
successful and harmonious SharePoint deploymentis require a farm administrators involvement, and this saves
to recognize that both the admin and developer roles are those administrators time and effort. Moreover, sandboxed
essential and interdependent. There must be mutual under- solutions cant destabilize a farm in the same way that
standing and respect between the two. In hopes of helping, a regular solution package can. For example, if a custom
Ill explain what developers must understand about admin- sandboxed Web Part throws an unhandled exception, only
istratorsand vice versa. Along the way, Ill cover several the Web Part is broken, not the whole web page. Although
best practices. there are limits to what sandboxed solutions can do, dont
let this stop you from using them where they can be used.
What Developers Must Understand They are still useful and relevant for many custom code
The most important aspect of a SharePoint administrators requirements.
role is represented by a three-letter acronym: SLA. The
service level agreement, whether formal or informal, is a Security is obviously very important in a SharePoint envi-
contract between the SharePoint operations team and the ronment. SharePoint often stores Personally Identifiable
business. The SLA is often described as a series of metrics, Information (PII) and may even hold trade secrets. When
such as uptime percentage. How do SharePoint administra- you write custom code, be sparing and cautious in how you
tors define success in their jobs? By helping the operations use the RunWithElevatedPrivileges security method (see
team meet the SLAs. The more critical the system, the more the MSDN article SPSecurity.RunWithElevatedPrivileges
difficult and challenging the SLAs. If the farm goes down at Method at Do not write code that requires
2:00 P.M., who is the first person called? Not a devel- the trust level of web.config to be elevated (see MSDNs
oper. Whose job is on the line if the farm doesnt come Securing Web Parts in SharePoint Foundation at
back online within the SLA window? Not the developer. NwGJg). If a sandboxed solution isnt possible, youre bet-
Unscheduled downtime for even a few minutes isnt accept- ter off deploying the assembly to the global assembly cache.
able for many businesses. To support their fellow adminis- As a developer, you must know the organizations security
trators, developers must write quality code that ensures that policy very well before you write any code. If a security pol-
the SLA isnt compromised. icy doesnt exist, help to create one, and include this policy
with the governance or Application Lifecycle Management
Furthermore, developers must understand the importance (ALM) plan.
of keeping the production farm stable. Among other best
practices, proper error handling must be applied to all Developers must make only those changes that are sup-
custom code. Without effective error handling, users are ported by Microsoft. Among other considerations, avoid
often greeted by the not-so-helpful error message, An changing out-of-the-box files in the SharePoint root direc-
unexpected error has occurred. Developers should also run tory (which some refer to as the 14 Hive), and never
SPDisposeCheck (see the MSDN article SharePoint Dispose change or add objects (e.g., tables, stored procedures, trig-
Checker Tool at on their compiled assem- gers) to the SharePoint content databases. (See MSDNs
blies (DLLs) to make sure that no memory leaks exist. The Support for changes to the databases that are used
best way to make sure that your code is stable is to have by Office server products and by Windows SharePoint
other people review the code and perform thorough unit Services at
and integration testing.
SharePoint developers must understand SharePoint architec-
When custom code is developed, it must be packaged as ture from a developers perspective. This means that you, the
a .wsp file to automate the deployment. A .wsp file is a developer, must understand the SharePoint technology plat-
Windows SharePoint Services (WSS) solution package. This form and how SharePoint uses SQL Server, IIS and ASP
step is the single most important best practice for develop- .NET. By understanding SharePoints construction, you will
ers. Without a solution package in hand, administrators understand how it can be enhanced by using custom code.
must manually deploy custom code and its configuration This takes time, just as it takes time to write quality code. But
changes. This can take an incredible amount of work and it also makes you a better developer. Books such as Inside
bring down the farm if the code isnt deployed correctly. SharePoint 20100 (at Amazons website at
For this task, use tools such as WSPBuilder ( and Real World SharePoint 2010 0 (at Wileys website at
or the SharePoint project templates inside Visual Studio e8Omtk) help. Also consider classroom training to get hands-
2010. Both tools create solution packages automatically. on, instructor-led guidance.

6 October 2011 |

What Administrators Must Understand different server roles (web server, application server, data-
Administrators must understand a few things too. First, base server) and how each communicates with the others
know that writing SharePoint code is very challenging. from a network and security perspective. This knowledge
SharePoints object model (the technology platform) is also helps you to understand (conceptually, at least) the
expansive and contains tens of thousands of API calls. Parts technology platform. You can gain more insight into this
of the object model arent intuitive. Although the docu- process through books such as Professional SharePoint
mentation is always improving, it still suffers from a short- 2010 Administration (see Amazons website at
age of quality explanations and examples. On top of that, h8cu57) and my own book, SharePoint 2010 Administration
many additional technologies are required in order to write Instant Referencee (at Wileys website at
SharePoint code. Its truly an alphabet soup, ranging from As an administrator, take a cue from developers and con-
HTML, CSS, AJAX, XSLT, and CAML to .NET, JavaScript, sider technical training if you have no formal training in
and the new client object models in SharePoint 2010. As in SharePoint.
nearly all aspects of code writing, quality comes with a lot
of experience, and most organizations struggle to findor Stick to the Plan
to affordsenior SharePoint developers. Despite SharePoints complexity, you should stick to your
organizations Application Lifecycle Management (ALM)
As a SharePoint administrator, you must know how to plan. According to Wikipedia, ALM is a continuous pro-
deploy .wsp files. Although the concept is simple, you cess of managing the life of an application through gov-
should understand what these packages do and how to ernance, development and maintenance. Some people
retract (uninstall) them. For more information about this believe that because SharePoint is such a unique product
process, see Solutions Overview at and that you cantor shouldntfollow existing processes.
SharePoint Powershell for Solution Deployment (WSP) at This is not true. You might have to adapt your existing processes to accommodate SharePoint. But considering
SharePoints complexity and importance, its essential
You cant use Central Administration, SharePoints admin- that you maintain the rigor and discipline of your current
istrative GUI, for all administrative tasks. Therefore, you practices.
must become proficient in Windows PowerShell, the de
facto command-line interface for SharePoint 2010. Because If your organization doesnt have anything that resembles
PowerShell lets you do some amazing things, such as mak- an ALM, administrators and developers should jointly cre-
ing direct API calls, it gives you some of the same power ate one. As part of this process, make sure that you have
that developers have without forcing you to use Visual a complete test or staging environment that mimics pro-
Studio. If youve been holding back or just procrastinating, duction as closely as is technically possible. Be diligent in
now is the time to get up to speed with PowerShell. The deploying and thoroughly testing custom code before it
time that you invest will be paid back again and again in goes into production. If there is any point in this process at
your increased productivity. which administrators and developers should be resolving
problems together, its in the staging environment. Friction
You must know how to read the SharePoint Unified Logging is greatest when you are troubleshooting actual production
Service (ULS) log files and how to use them to trouble- problems.
shoot problems. You can use tools such as ULSViewer (see
MSDNs ULS Viewer at to get a real-time Finally, both administrators and developers should be
view of log files and to consolidate log files from multiple tapping into the ever-growing SharePoint community.
servers. You should know that SharePoint logs many mes- Very likely, you will get to know and respect many other
sages to the Windows Application log as well. This is espe- SharePoint developers and administratorswhich, at the
cially helpful because the messages in the Application log very least, makes working together over the course of your
are less detailed than those in the ULS log, and this gives SharePoint career much more enjoyable.
you a perspective of the problem from a higher level. In InstantDoc ID 136094
fact, when it comes to troubleshooting, administrators and
developers need to work directly together. Troubleshooting
the harder problems often requires different skill sets, and
it never hurts to have another pair of eyes look over your
Randy Williams ( is a SharePoint
SharePoint administrators must understand the SharePoint MVP, and an enterprise trainer and evangelist at AvePoint. He is
architecture from an administrators perspective. This based in San Diego and speaks about SharePoint topics at user
means that you, the administrator, must understand the groups and conferences. Randy blogs at

SharePoint Pro | October 2011 7

By Dan Holme

From requirements to governable architecture

overnance is the cornerstone to any successful In future articles, I will explain how you can apply the
SharePoint implementation. Without it, you are process to specific scenarios, to gain prescriptive guidance
doomed to fail eventuallya lesson that many towards successful architectures. And I will show you how
organizations learn the hard way. to use the technology to automate and enforce your gover-
nance policies.
Because governance matters so much, there is a lot of
information about it, starting with the TechNet SharePoint Step 1: Define Your Requirements
Server 2010 Governance Resource Center ( As a consultant, I spend probably 80 percent of my time
.com/en-us/sharepoint/ff800826.aspx). There is no short- helping customers to define requirements and develop dis-
age of governance resources, from SharePoint MVP blogs to cipline around requirements gathering. After all, you must
SharePoint Pro magazine and beyond. understand the requirements for any solution before you can
effectively design that solution. SharePoint is no different.
Many of these resources focus on how to create a gover-
nance framework: how to assemble the people, policies, The problem that I observe is that SharePoint implementa-
and procedures and how to develop a governance plan. But tions involve a lot of requirements. So I find it helpful to
all too often, such discussions leave out a fourth equally categorize them, and then identify which categories are
important component of governance: technology. salient at each step in the process. I suggest that you group
your requirements into these categories:
You must understand the technology that you are trying to Business requirementsThese are the requirements
govern; you cant ask it to do something that it cannot do. that really matter. They dene the business purpose of
And you should use the technology to facilitate governance. the solution that the customer is asking you to create.
In this first of a series of articles, I will explore the techni- Whenever possible, avoid polluting business require-
cal side of governance and thereby answer several vital ments with technical requirements. More often than
questions: not, technical requirements are articial.
When a busi-
What does a governable SharePoint implementation ness customer says, I need a sub site that does x, or
actually look like? I need a button that does y, that customer is casting
What is the physical and logical architecture of such an themselves as a technologista solutions developer.
implementation? Encourage them to take a step back and describe the
How many farms, servers, web applications, content desired result (x or y) without mentioning technology.
databases, site collections, and sites does such an imple- Let the technical solution be developed by those who
mentation have? know the technology.
Technical requirementsOccasionally, technical require-
The initial answer to all three questions is, unfortunately, ments must be considered. For example, if your mobile
It depends. The answer depends not on SharePoint, but sales force is going to use their iPads to access the solu-
on what you are trying to achieve by using SharePoint. The tion that you are providing, then the ability to access
best way to get to the answer that applies to you is to fol- the solution from iPads is a valid technical require-
low my four-step "Architecting Governance" process. By ment. Such technical requirements more often relate to
following this process, not only can you answer the previ- architectureinteroperability with other solutionsor
ous question, but you will have a logical, physical, and gov- infrastructure than to functionality or usability.
ernable architecture that meets your business requirements. Project requirementsThese requirements relate to the
creation of the solution, not to the business purpose of
Given the limitations of space and time, this article will the solution. Budget and deadlines are prime examples
focus on the process itself, which involves four major steps. of project requirements.

SharePoint Pro | October 2011 11

F e a t u r e Governance

Information-architecture requirementsInformation evaluation of options for building or buying the solution.

architecture, in its most traditional denition,
relates to You know youre doing this part correctly whenat least
how content is described, organized, and discovered. once in a whileits determined that SharePoint is not the
Information-management requirementsInformation- right solution for a particular requirement. After all, we can
management requirements dene how the content is agree that SharePoint is not the silver bullet for every busi-
managed over its lifecycle: how is it created, main- ness need, cant we? If your process is strong enough to
tained, and archived or deleted. These requirements overcome loyalty to and enthusiasm for SharePoint when
relate to security, records management, auditing, and its simply not suited for the job at hand, you know you
compliance. have a good process!
Service-management requirementsBehind the solu-
tion, the content, and the information is the service We wont spend any more time on the evaluation of techni-
itself. Service-management requirements describe IT cal options. Because this is SharePoint Pro magazine, well
assurance expectations: recovery, availability, and assume that, for this particular need, SharePoint is the best
performance. These requirements lead to service level solution, and well move on to Step 2.
objectives (SLOs) or service level agreements (SLAs).
Step 2: Align Management Requirements
Categorizing requirements is valuable for several reasons. with Controls and Scopes
First, you can identify the dependencies between require- Now we focus on determining how to architect a
ments. This ability allows you to proceed through the SharePoint service to support your requirements, specifi-
requirement-gathering process in a logical manner. cally those in the service- and information-management
Business requirements and technical requirements must be
defined carefully and understood clearly before you can effec- First, you must identify what I will call SharePoint manage-
tively elicit other requirements. After you have defined the ment controls. A management control is a configurable setting
solution, you can identify the types of information that are that has some effect on SharePoint manageability, and there-
associated with it. This exercise drives you to find the informa- fore on SharePoint governance. Lets take a simple example.
tion-architecture and information-management requirements. One of your service-management requirements should relate
Business, technical, and information-management require- to storage of content (i.e., how much storage the content that
ments determine the service management requirements. All is associated with the solution will consume). The require-
are affected by project requirements such as budget and time- ment to support a specified amount of storage is implemented
lines, and you might need to adjust project requirements to by quotas, of course. Quotas are a management controla
accommodate other categories of requirements. setting that you can configure to support a requirement.

An important take-away: Discussing information manage- Now that youve located the management control that
ment or service management requirements before you have supports your requirement, you must identify the scope
clearly defined the business and technical requirements of that control. SharePoint farms have a physical and logi-
makes little sense. And if the process is undisciplined and cal architecture. The logical architecture is a hierarchy of
additional business or technical requirements are introduced, farms, web applications, content databases, site collections,
you will need to revisit the information-architecture, informa- sites, lists, and libraries. Web applications have zones and
tion-management, and service-management requirements. typically consume one or more services, such as search or
metadata. (This logical hierarchy is shown in Figure 1.)
The second reason why categorizing requirements is valu- The physical architecture relates to the servers in the farm
able is that it allows you to proceed more effectively to the and the distribution of services across those servers. In
next steps in the governance process, in which you will other words, which servers host web sites, which host
focus on supporting the information-and service-manage- services such as search, and which host SharePoint
ment requirements. There will continue to be a two-way databases?
relationship with those pesky project requirements, but at
least you can set aside business and information-architec- Management controls are typically scoped to one, and only
ture requirements, which will have generated the informa- one, container in the SharePoint logical or physical architec-
tion- and service-management requirements. Youll return ture. Quotas, for example, are scoped to site collections. You
to the information-architecture requirements in the last step can set a quota for a site collection but not for a child site
of the governance process. or an entire web application. Nor can you configure a stor-
age limit for an individual user within a team site collec-
After defining requirements, you can begin to design a solu- tion; the out-of-box quota applies to all content in the site
tion that meets those requirements. This phase involves the collection, regardless of who creates the content.

12 October 2011 |

Another example is sandboxed solutions. If you have a ser-
vice-management requirement to isolate custom code, then
you can configure a sandboxed solutiona management
control that scopes to a site collection.

After you have enabled sandboxed solutions, a site collec-

tion administrator can upload solutions to the sandbox and
activate them. There is no out-of-the-box capability to add
a workflow whereby another, higher-level administrator can
approve the solution before it is activated.

A key concept here is out-of-the-box. Although SharePoint

management controls might have certain limited scopes
and capabilities, sometimes you can build or buy tools that
extend those scopes and capabilities.
Figure 1: SharePoints logical hierarchy
So if you run into a situation in which your information- or
Scope is an absolutely crucial concept because it determines service management requirements drive you towards an
whether you need more than one of any object in the logical unacceptable architecture, you can choose to work around
or physical architecture. If the Human Resources (HR) and the limitation, build or buy code that overcomes the limita-
Engineering teams require distinct quotas (for example, tion, or return to the question, Is SharePoint the right tech-
engineers need more storage to support large CAD documents nical solution to address the requirements?
and images), then you have only one option.
This is the nitty-gritty part: You must determine how
To support those disparate requirements, you need two SharePoint can support your information- and service-man-
scopesone for HR and one for Engineeringto which you agement requirements through out-of-box or extended man-
can apply different quotas. And that means that you must ageability controls, and which logical and physical architec-
have two site collections. ture is necessary to scope the settings that you require. (I
will dive into numerous examples of how to succeed with
If every solution in your enterprise has identical informa- this stepand how to fail miserablyin future articles.)
tion- and service-management requirements, then you
can get by with a single farm, a single web application, Step 3: Align Business Requirements with
a single content database (subject to a sizing guidance of Controls, Features, and Scopes
4TB) and a single site collection. But youre highly likely to After you put a set of requirements through Step 2, you typ-
have solutions that have different information- and service- ically will have an architecture that defines farms, servers,
management requirements, necessitating more than one of web applications, content databases, and site collections.
many or all of these scopes. Occasionally, your architecture will dive deeper into sites,
lists, and libraries. The resulting architecture will support
In fact, so many management controls are scoped to site your information- and service-management requirements.
collections that I like to refer to site collections as the
administrative container in the SharePoint architecture. You can then further refine that architecture to support busi-
Many service- and information management controls, ness requirementsspecifically those functionality require-
including quotas, ownership (Site Collection Administrators ments that are implemented as a feature, template, list,
membership), tenancy, user and group management, audit- library, or site definition.
ing, locks, sandbox solutions, and search settings, are
scoped at the site-collection level. For example, suppose that a business requirement can be
supported by providing the leader of a team site with a blog.
You also must consider the capabilities of the management SharePoint implements blogs as a site definition (or tem-
control. What is possible, and what is not possible? plate), so your logical architecture must include a site for
the blogtypically, one that will be distinct from other col-
For example, assume that you have the wild service-man- laborative content on a team site.
agement requirement to back up data in a large solution
every minute. Assuming that the content is of any size, you Step 3 is similar to Step 2, but youre using a different set
simply are not going to be able to meet that requirement by of requirements at this point, to drive the lower levels of
using SharePoint backup APIs. your logical architecture. You did not consider business

SharePoint Pro | October 2011 13

F e a t u r e Governance

requirements in Step 2, although these requirements day-to-day basis. A disconnect exists between governance
informed the information- and service-management require- and ease of use, and that disconnect is an unfortunate side
ments that you did consider. effect of using a platform with limited but rich features to
support an unlimited number of business requirements.
When you complete this step, you will generally find that Workarounds, PowerShell, and extensions to SharePoint
you have added some child sites, lists, and libraries to the become crucial. Luckily for us all, SharePoint has an
logical architecture that you produced in Step 2. Step 3 typi- extraordinary community of consultants, developers, project
cally does not involve modifying the farms, servers, web managers, IT pros, MVPs, and ISVs to help us succeed.
applications, content databases, or site collections in the
architecture. In this article, Ive outlined the process through which
you can get from requirements to a governable SharePoint
Step 4: Overlay Information Architecture and architecture. Half the story is what SharePoint can and cant
Manageability do, and how it was designed. The other half is what youre
As you can imagine, even a simple SharePoint implementa- asking SharePoint to do. There are myriad examples to
tion is likely to have more than one site collection, web illustrate that those two things dont always align as neatly
application, and farm. And as soon as content is distributed or easily as you would hope.
across more than one site collection, web application, or
farm, or across more than one content database or server, Im not saying the governance process is easy, but it is nec-
working with SharePoint becomes more difficult. essary. In an upcoming article, Ill show you several com-
mon examples of real-world scenarios and how they affect
First, navigation becomes a challenge. When you create your logical and physical architecture.
content within a single site collectiona child site, for InstantDoc ID 140244
exampleyou can add links to the parent container so that
users can navigate easily.

However, when you create a second site collection, no such

navigation links are created. You must either manually
manage navigation or build or buy a tool that manages and
presents a navigation structure.

Administration also becomes more difficult. If a user needs

access to content in each of the two site collections, then
the user must be added to each site collection individually;
identity management is scoped at the site collection.

If you need to pull an audit report of content, you must pull

reports from both site collections; auditing is configured
and reported at the site collection scope. Because site col-
lections are, in my words, the administrative container of
SharePoint, your administrative burden increases as soon as
you have more than one.

To address administration and management of a SharePoint

implementation with more than one farm, web application,
content database, or site collection, Windows PowerShell is
your best friend. PowerShell can iterate (i.e., loop) through
your architectural elements and can perform repetitive tasks
quickly and easily. Several third-party tools also give you a
single-pane-of-glass view of your SharePoint service, regard-
less of how complicated its logical and physical architecture
might be.

When you architect a governable SharePoint implementa- Dan Holme is an MVP in SharePoint Server and is the Chief Share-
tion, you will almost certainly end up with one that is Point Evangelist for AvePoint. Follow him on Twitter @danholme.
more difficult than youd actually prefer to manage on a You can reach Dan at

14 October 2011 |

By Andrew Connell
Conne l

SharePoint Designer
Address SPD 2010 limitations with the help of Visual Studio

he complete workflow story was significantly improved Challenges with VS 2010 Workflows
in SharePoint 2010 as Microsoft invested in SharePoint Many customers concluded their only option was to move
Designer 2010 (SPD 2010) capabilities in creating cus- to Visual Studio (VS) 2010 for creating their workflow
tom workflows with the SharePoint 2010 release. SPD 2010 solutions. This presented other challenges, though. For
is a tool that can create powerful declarative workflows, instance, all VS 2010 workflows are code based and must
but previous versions were dismissed by many because its be deployed as fully trusted farm solutions; its not possible
workflows were tied to a specific list at design time, which to deploy a workflow built in VS 2010 to the sandbox. VS
meant there wasn't a good option for creating and deploying 2010 workflows are usually built only by developers, not by
workflows with a simple copy-paste deployment between a power users or the business analysts who best understand
development and production environment. the business process being automated by the workflow.

SPD 2010 changed this with the ability to support reus- Addressing SPD 2010 Limitations
able (aka content type) workflows that could be created In the first few months after SharePoint 2010's release, I saw
in one environment, saved as a sandbox solution package, that many people were still in what I considered the SharePoint
and easily saved and deployed to another environment. 2007 mode of thinking with respect to workflow. This thought
It also added other very important improvements such as process usually involved ditching SPD 2010 as the workflow
impersonation steps, a better workflow designer, the ability tool and building the workflow with VS 2010 when one of the
to import workflows authored in Visio 2010, and a signifi- aforementioned limitations was encountered. I find this disap-
cantly improved task approval process designer. pointing because building workflows with VS 2010 leaves a
lot on the table. You lose the ability to have declarative-only
Challenges with SPD 2010 Workflows workflows that can be deployed to the sandbox, your develop-
However with all these improvements, a few things still ers arent in charge of building a business process, and worst of
lead people to dismiss SPD 2010 as their workflow tool. For all, more custom code needs to be maintained.
instance, SPD 2010 cant support loops or state machine
workflows. SPD 2010s declarative workflows are limited to This is disappointing because typically the majority of the
sequential workflows that can have decision points (IF workflow process can be expressed using SPD 2010, with
statements), but there is no looping process. only one or two small pieces that SharePoint 2010 cant
handle. These few pieces push people to VS 2010. But
In addition, SPD 2010 doesnt provide low-level debugging instead of throwing the whole workflow out, why not
or elevation of privileges. Debugging is limited to monitoring address the problem?
what inputs are provided to the workflow and how it reacts.
Another big limitation of SPD 2010-authored workflows One option is to have a developer create a custom action
is that they can access content only within the same site (otherwise known as an activity) with VS 2010 and deploy
where theyre running; they cant access content from other it to SharePoint 2010. When a user opens the site in SPD
sites, site collections or external feeds, or Web services. 2010, the custom action will be available in the last of the

SharePoint Pro | October 2011 15

F e a t u r e SharePoint Designer 2010

namespace CPT.Samples.SandboxedAction {
public class UpdateWebDescriptionAction {

public Hashtable UpdateWebPropertyBagValue(SPUserCodeWorkflowCont

ext context) {
using (SPSite siteCollection = new SPSite(context.CurrentWebUrl))
using (SPWeb site = siteCollection.OpenWeb(context.
CurrentWebUrl)) {
site.Description = "Updated from custom sandbox action at " +

return new Hashtable();



Listing 1: Code for a Custom Sandboxed Custom Action

<Elements xmlns="">
<Action Name="Update Site Description (sandboxed)"
Category="CPT Actions">
<RuleDesigner Sentence="Update current site description to
current timestemp." />
<Parameter Name="__Context" Direction="In" DesignerType="Hide"
WorkflowContext, Microsoft.SharePoint.WorkflowActions" />
</WorkflowActions> Figure 1: View of new custom action options

Listing 2: Code to Register an Action Using an Element Manifest File

public partial class UpdateWebDescriptionActivity : Activity {

actions that can be used in the declarative workflow. These public static DependencyProperty __ContextProperty =
DependencyProperty.Register("__Context", typeof(WorkflowContext),
custom actions can be deployed either to the sandbox or as typeof(UpdateWebDescriptionActivity));

a fully trusted farm solution and are scoped to a particular public WorkflowContext __Context {
site collection. get { return (WorkflowContext)base.GetValue(__ContextProperty); }
set { base.SetValue(__ContextProperty, value); }

Capabilities of Custom Actions protected override ActivityExecutionStatus Execute(ActivityExecuti

A custom action is no different than the type of actions onContext executionContext) {
__Context.Web.Description = "Updated from custom sandbox action
(aka activities) in VS 2010-based workflows. Youre simply at " + DateTime.Now.ToString();
return ActivityExecutionStatus.Closed;
wrapping up custom code in a reusable component. This }
custom component could call out to another Web service or }

feed or impersonate a more privileged user or even access Listing 3: Code Required in a Custom Action Deployed as a
content on other SharePoint sites or site collections. You Farm Trusted Solution
can address almost every single SPD 2010 limitation with a
custom action created in VS 2010. The two biggest excep- the declarative SPD 2010-based workflows they will be used
tions to this rule are the inability to simulate state machine within can be run from the sandbox. A mixed story of having
workflows and the ability to create sophisticated loops. to tell a customer you need to deploy this farm trust solution
SharePoint 2010 lets developers create two different types for a custom action that is used by this sandbox solution
of custom actions for use within declarative workflows doesnt sound so good, nor does it permit the entire solution
authored with SPD 2010: sandboxed actions and full trust to be used within most hosted SharePoint deployments.
actions. Lets now look at these options.
As with other sandboxed solutions, a sandboxed custom
Sample Sandbox Custom Action action will have such limitations as the inability to issue
In my opinion, developers should try to create sandbox cus- Web service calls, database calls, or impersonate a user
tom actions before creating full trust custom actions, because with elevated permissions. Listing 1 shows a custom

16 October 2011 |

workflows with SPD 2010, instead of limiting that process
to developers who have VS 2010.
InstantDoc ID 140458

Figure 2: Another view of new custom action options Andrew Connell ( is a
developer, speaker, and cofounder of Critical Path Training (www
sandboxed custom action that sets the value of the cur- He is a six-time MVP for Content
rent sites description. It was built with VS 2010, using the Management Server (2005-2006) and SharePoint Server (2007-2010).
Empty SharePoint Project template. After
the action is built, register it using an
element manifest file in the Feature that
will make SPD2010 aware of the action.
This file, which Listing 2 shows, contains
information about the action as well as
the designer to use within the SPD 2010
interface. Build and package the project to
create a WSP and add it to a site collec-
tions solution gallery. After the solution
is activated in the solution gallery, when
users open the site in SPD2010, they will
see the new custom action (Figure 1 and
Figure 2).

Sample Farm Trust Custom

The sandboxed custom action wont give
you everything you need. Maybe you
want to make a call to a custom data-
base or an external Web service. These
require creating a full blown custom
activity in VS 2010. The code sample in
Listing 3 shows the code required in a
custom action deployed as a farm trusted
solution. Just like the sandboxed custom
action, this project requires a separate
custom actions file to make SPD 2010
aware of the custom action and can be
used the same way deployed to the
Workflow directory. For more details on
creating sandboxed and full trust cus-
tom actions, see Inside SharePoint 2010
(MSPress), by Ted Pattison, Andrew
Connell et al, or go to the SharePoint SDK

Empower Users
I hope you will consider the idea of hav-
ing developers create custom actions using
VS 2010 to augment and empower SPD
2010 workflows. This approach limits the
amount of custom code deployed, and thus
maintained, in an environment, and it also
ensures more people can create custom

SharePoint Pro | October 2011 17

Byy Todd O. Klindt

Three lessons you dont have to learn the hard way

s with any new release, there was a lot to learn Lesson 1: Just Use It
when SharePoint 2010 hit the streets. Typically, Im One day it hit me: I was going at this backward. Instead
up for such a challenge. Heck, I revel in it. How- of learning the language so that someday I could use
ever, one of the biggest challenges that I almost didnt over- PowerShell to get tasks done in SharePoint, I should start
come was learning Windows PowerShell. trying to automate daily SharePoint tasks as a way to learn
the language. Of all the PowerShell lessons Ive learned,
Ive been working with SharePoint for a long time. this one is the most important. That was the day the skies
Although I started with SharePoint Team Services 2001, I opened and the sun shone down on me and PowerShell.
cut my teeth with Windows SharePoint Services 2.0 (WSS
2.0). I used it to manage a farm with more than 1,200 site Lesson 2: Make Get-Member Your Hero
collections and more than 10,000 subsites, which are often My first scripts were mundane, simple stuff like getting a
referred to as webs. I learned early on to embrace scripting. list of site collections with Get-SPSite or a list of webs with
Get-SPWeb. Although they were basic, they did ease me
I became especially good friends with the Stsadm com- into concepts like PowerShells pipeline and how to format
mand-line tool. Stsadm let me manage the large farm and command output with cmdlets such as Select-Object and
still have time to watch hysterical cat videos on YouTube. I Format-Table. I was able to write handy one-liners like this:
wrote a TechNet Magazine article on Stsadm, a book chap- Get-SPSite -Limit all |
Select-Object Url, Owner, SecondaryContact |
ter on Stsadm, and spoke at TechEd on, you guessed it, Format-Table -AutoSize
Stsadm. Imagine my shock and horror when I found out
that SharePoint 2010 was going to transition to PowerShell (Although this command wraps here, youd enter it all on
and my beloved Stsadm was being deprecated. one line in the PowerShell console. The same holds true for
the other commands that wrap.) This one-liner returns a
Until that moment in 2009, my exposure to PowerShell handy list of all the site collections in the farm, along with
had been limited. I had avoided it because it seemed too each site collections owner and secondary owner.
developery for my tastes. It had objects, whatever those
are. Stsadm, while limited and quirky, was easy to tame. In this one-liner, its intuitive that the Owner property stores
PowerShell was complicated and bombastic. I wasnt sure if the name of the owner, but the same cant be said for
I was smart enough to trick it into doing my bidding. I found SecondaryContact property, which stores the name of the
myself in the first of the seven stages of grief. secondary owner. An objects properties and methods arent
always intuitive, which is one of PowerShells little quirks
After I made it to the seventh stage, Acceptance, I got back that contribute to its bad reputation and high learning curve.
up on my horse and started trying to conquer this beast. I
bought PowerShell books and looked for PowerShell sup- Fortunately, PowerShell has the Get-Member cmdlet, which
port groups in my area. Nothing seemed to work. I still has rescued me on many occasions. You can use it with any
couldnt do anything with it besides adding two numbers object to learn about that objects properties and methods.
together and writing Hello World on my screen. Maybe I For example, you can see all the properties of the SPSite
wasnt smart enough to use PowerShell. object with the following command:

18 October 2011 |

Get-SPSite | Get-Member
#Make a backup copy of the HOSTS file with today's date.

# Make sure the SharePoint extensions are loaded.

Running this command is how I discovered that I had to Add-PSSnapinMicrosoft.SharePoint.PowerShell -EA 0
use Owner and SecondaryContact to retrieve the names
$hostsfile = 'C:\Windows\System32\drivers\etc\hosts'
of the primary and secondary owners. Its also how I dis- $date = Get-Date -UFormat "%y%m%d%H%M%S"
$filecopy = $hostsfile + '.' + $date + '.copy'
covered countless other gems about all types of objects. Copy-Item $hostsfile -Destination $filecopy
Walking through an objects list of properties and methods
# Get a list of the Alternate Access Mappings (AAMs) and
has not only helped me figure out how to accomplish a #weed out the duplicates.
$hosts = Get-SPAlternateURL | ForEach-Object {$_.incomingurl.
given task but also inspired me to write scripts. replace("https://","").replace("http://","")} |
Where-Object { $_.tostring() -notlike "*:*" } | Select-Object
For example, after getting the members of the SPWeb
# Get the contents of the HOSTS file.
object, I was inspired to write another handy one-liner. $file = Get-Content $hostsfile
In my SharePoint 2003 and SharePoint 2007 days, I often $file = $file | Out-String

helped users troubleshoot SharePoint web problems. Id # Write the AAMs to the HOSTS file, unless they already exist.
$hosts | ForEach-Object { if ($file.contains($_))
ask them, Which template was used to create this web? {Write-Host "Entry for $_ already exists. Skipping"} else
They never knew because most of the time they werent the {Write-host "Adding entry for $_" ; add-content -path $hostsfile
-value " `t $_ " }}
people who created that web. Different webs have different
# Disable the loopback check, since everything we just did will
Web Parts and features, so knowing which template was fail if it's enabled.
used to create a web is helpful. In SharePoint 2003, there New-ItemPropertyHKLM:\System\CurrentControlSet\Control\Lsa -Name
"DisableLoopbackCheck" -Value "1" -PropertyTypedword
was no way to get that information. In SharePoint 2007,
there wasnt a way before SP2 came out. With PowerShell, Listing 1: PowerShell Script to Write SharePoint URLs to a
Servers HOSTS File
its easy to discover the template with the command:
Get-SPWeb |
Select-Object Url, WebTemplate, WebTemplateId | Listing 1 shows one of my latest creations. This script writes
Format-Table -AutoSize
SharePoint URLs to a servers HOSTS file. As a rule, I always
I would have never thought to use PowerShell for this, point my SharePoint servers at themselves in their HOSTS
but when I used Get-Member with SPWeb I saw the files. This aids in troubleshooting and helps control which
WebTemplate property and my curiosity was piqued. Now I machines the search indexer uses when it performs crawls. I
have another invaluable tool in my bag of tricks. found myself making the same changes over and over when
I performed installations, so this task was a perfect candidate
Lesson 3: Take Command with Get-Command for PowerShell. To write this script, I needed to understand
Knowing an objects members is good, but only after how to get PowerShell to manipulate not only SharePoint but
youve figured out which objects and cmdlets to use. How also file systems and the registry. I also needed to be able to
to discover cmdlets was another important lesson I learned. walk through a collection of objects with a ForEach loop and
Get-Command lists cmdlets based on the criteria you pro- manipulate values with the Replace and ToString methods.
vide. My first introduction to Get-Command was the follow- Fortunately, I had that foundation, and I was able to write
ing one-liner, which lists all the SharePoint-related cmdlets: that script with little effortmy favorite kind of writing. You
Get-Command -Module Microsoft.Sharepoint.Powershell
can find more information about this script in my blog post
Then I refined my cmdlet searches with other parameters.
For example, the following one-liner lists all the cmdlets Becoming proficient in PowerShell made me a better
that deal with site collections, or SPSites as PowerShell SharePoint administrator and probably a better person. It
refers to them: allows me to automate common SharePoint tasks as well
Get-Command -Noun SPSite
as accomplish some uncommon tasks. On top of that, I can
use that same PowerShell knowledge in other products such
You can substitute any cmdlet verb or noun in that com- as Windows Server and SQL Server. I have not only learned
mand. You can also use wildcards like this: PowerShell but also learned to love it.
Get-Command *SPSite*
InstantDoc ID 140143

A Foundation for the Future

Although I learned these three lessons the hard way, they
have allowed me to build an ever-growing foundation of
PowerShell understanding. By forcing myself to learn how
to do boring everyday tasks in PowerShell, I was gathering Todd O. Klindtt ( is a consultant for
the skills needed to write more complicated scripts. SharePoint911 and a SharePoint MVP.

SharePoint Pro | October 2011 19

Byy Todd
d Baginski

WCM Sites
Three lessons learned while building public-facing websites

harePoint Server 2010s web content management payload to begin with. For example, the out-of-the-box
(WCM) capabilities let developers create compelling SharePoint Publishing Site home page makes 37 requests
public-facing websites built on the SharePoint plat- and downloads a total of 635,348 bytes, as Figure 1
form while enabling content owners to easily manage and shows. Many of these requests are for JavaScript files and
update the content in the websites without writing a single Cascading Style Sheets (CSS) files.
line of code. When SharePoint websites are properly archi-
tected, content owners can use a web browser to update As you add new graphical elements, content, and function-
content stored inside SharePoint lists. They can edit the ality to your pages, the page payload increases even more.
content directly within the body of a web page or edit the To make sure that your pages are as small as possible and
list content in a SharePoint lists edit form. load quickly in a web browser, you can take advantage of
the following techniques.
My experience building custom WCM sites with SharePoint
Server 2010 started early in its product cycle. I was leading Combine and minify JavaScript and CSS files. To help
the architecture and development team that was charged keep your pages as small as possible, you can package and
with upgrading the platform of the SharePoint marketing deploy your CSS and JavaScript files with the following
website from Microsoft Office SharePoint Server 2007 (MOSS guidelines in mind. Whenever possible, combine all of your
2007) to SharePoint Server 2010. We launched the marketing custom JavaScript files into a single file. This reduces
website on the Beta 1 build of SharePoint Server 2010 during the number of requests the web browser has to make to the
Steve Ballmers keynote address at the Microsoft SharePoint SharePoint server and cuts down on page load time. The
Conference in 2009. Its safe to say that my team and every-
one else who worked on the website was nervous about
going live with a Beta 1 build, but it turned out the product
was stable enough. After the website was launched, other
teams transitioned the site to the Beta 2 and release to man-
ufacturing (RTM) builds and redesigned the site to give it
the look and feel you see today at

While working on the SharePoint marketing website and

several othersincluding the Microsoft Visio (visio and Microsoft Lync (
marketing websitesI learned many lessons about building
public-facing websites on the SharePoint 2010 platform. Ill
share three lessons that I feel are most helpful because they
involve techniques that you can use to prevent or solve
common problems.

Lesson 1: Pay Attention to Page Size

Figure 1: Waterfall report for the out-of-the-box SharePoint
As you develop SharePoint sites, you need to keep in Publishing Site home page
mind that the out-of-the-box SharePoint pages have a large

20 October 2011 |

Turn off View State. Another overlooked performance
tweak is turning off the View State mechanism for the
controls you place in web pages. This helps reduce page
payload considerably. Unless your controls require that
the View State mechanism be enabled, turning it off wont
adversely affect your website. For anonymous public-facing
Internet sites, View State typically isnt required.

The amount of data that a control stores in its ViewState

property varies. A small view state of 1,500 to 2,000
bytes is pretty typical for a page in a SharePoint website.
However, youd be surprised how many SharePoint sites
have a view state of 9,000 bytes or more. It might not
sound like a big difference, but the bytes add up.

Load content asynchronously. Lazy loading content

asynchronously, and only as needed, is a slightly more
advanced technique to reduce page payload. This tech-
Figure 2: Regions that asynchronously load new images without nique reduces the size of the initial page load. Sometimes
refreshing the entire web page
the reduction is substantial, but it depends on the design
and functionality of the website. The JQuery library makes
same principle applies to CSS files. However, this might implementing this approach easy.
not always be possible to do, depending on how your com-
ponents are architected. So, you should combine all your The Visio marketing website shown in Figure 2 provides
CSS files into a single file whenever possible. In addition to a good example of this technique. The red boxes indicate
combining all your JavaScript and CSS files, minify them where users can click to load additional information, with-
whenever possible. For example, you can remove the white out refreshing the web page in the browser. Each time one
space and line breaks in these files to make them as small of these regions is clicked, an asynchronous call is made to
as possible. retrieve the corresponding image. By taking this approach,
only the initial image is loaded when a user first visits the
Use content delivery networks (CDNs). When possible, website. The initial page load for this web page uses 70
you should use CDNs to load JavaScript files. For example, requests to load a total of 895,040 bytes. Without asyn-
you can use the minified JQuery library (jquery-1.6.2.min chronous content loading, there would be 22 additional
.js) and the minified JQuery UI library (jquery-ui.min.js), requests and an additional 729,549 bytes loaded.
which are part of the Microsoft Ajax CDN (
ajaxlibrary/cdn.ashx). Suppress JavaScript files for anonymous users. Another
advanced technique to optimize the size of your page pay-
CDNs have two benefits. First, they speed up loading load is suppressing the loading of certain JavaScript files
assets. Assets are loaded to users browsers from the clos- for anonymous users. For example, anonymous users dont
est servers possible. Second, CDNs reduce the amount of interact with the ribbon on your SharePoint site, so loading
bandwidth consumed between the SharePoint servers and the sp.ribbon.js file isnt required. Other files you can typi-
browsers, thus saving you money on bandwidth usage. cally suppress are the cui.js and core.js files. Collectively,
these files add three requests and 233,099 bytes to your
Remove comments. Removing comments is perhaps the page payload size.
most often overlooked performance tweak you can make to
a website. Many times developers dont remove comments This technique requires the greatest amount of testing to
from the JavaScript files, CSS files, page layouts, or master ensure that your website will perform properly when these
pages in their SharePoint sites before deploying them to files are suppressed, especially if youre using a large num-
production. ber of out-of-the-box Web Parts. Also, keep in mind that if
youre using SharePoints ECMAScript Client Object Model,
For example, in one of my clients websites, I found com- the core.js file shouldnt be suppressed. To learn more
ments in a previously deployed master page that added 5KB about this technique, check out Chris OBriens excellent
to the page payload size. Comments can be very helpful blog Eliminating large JS files to optimize SharePoint 2010
during development, but whenever you can do so, elimi- internet sites (
nate comments from the assets you deploy to your website. eliminating-large-js-files-to-optimize.html).

SharePoint Pro | October 2011 21

F e a t u r e Custom WCM sites

The product video section employs an out-of-the-box

Content By Query Web Part that uses custom Extensible
Style Language (XSL) code to format the data it displays.
The scrolling effect is accomplished with JQuery.

In more complex scenarios, you can develop custom Web

Parts that inherit from the Content By Query Web Part. A
perfect example is the Web Parts in the Visio marketing
website in Figure 5.

The green box highlights an out-of-the-box Content By

Query Web Part configured to display sorting criteria and
apply them to the page. The two red boxes highlight cus-
tom Web Parts that inherit from the Content By Query Web
Part. The custom Web Part on the left provides metadata-
based filtering capabilities. It queries the SharePoint
Figure 3: Content By Query Web Part displaying videos stored in Managed Metadata Service to retrieve and display terms in
a SharePoint list the term store for the content on the page. The custom Web
Part on the right displays the filtered items. All three Web
Parts on the page use custom XSL code to define their look
and feel.

Its important to understand how Content By Query Web

Parts behave in anonymous access scenarios. First, be aware
that you shouldnt link to specific list items from Content By
Query Web Parts because the ability for anonymous users to
Figure 4: The same Content By Query Web Part displaying the
view form pages isnt enabled, even when anonymous access
next video in the list
is enabled on the SharePoint website. However, you can turn
on this functionality programmatically.
Understanding the various options to reduce page size can
help your SharePoint websites perform well. However, in You also need to be aware that the Content By Query Web
the real world, not all website projects have the time or Parts CopyUtil functionality will break if the lockdown fea-
budget allocated to implement all of these techniques. Its ture is enabled. (CopyUtil.aspx is found under the _layouts
certainly possible to create SharePoint websites that have virtual directory.) To work around this problem, target all
acceptable page payload sizes without implementing all of
these techniques.

Also, keep in mind that page payload size isnt the only
factor that makes a fast SharePoint site. Many other perfor-
mance considerations should be taken into account, such as
the quality of your custom code, cache setup, server farm
hardware, and network configuration.

Lesson 2: Use Content By Query Web Part

Although the Content By Query Web Part hasnt changed
much in SharePoint 2010, it still remains a very powerful
tool that you can use to display content in a compelling
way. The Lync marketing site in Figure 3 uses the Content
By Query Web Part to display product-related videos.

The section of the page with the red box around it displays
videos stored in a SharePoint list. When a user clicks the
arrows at either end of the video list, the Web Part brings
Figure 5: Content By Query Web Parts that provide metadata-
the next video into view and asynchronously loads the cor-
based sorting and filtering
responding image, as Figure 4 shows.

22 October 2011 |

Figure 8: Sample data in a hidden list that stores rating data

The second approach is to create your own ratings control

that allows anonymous users to rate content. The Visio
marketing website implements this approach. The anony-
mous ratings Web Part created for this website stores rat-
ings in a custom hidden SharePoint list. Figure 8 shows
sample data in the hidden list that stores the rating data.

The anonymous rating Web Part uses the SPSecurity

Figure 6: Out-of-the-box rating control with a Sign In link .RunWithElevatedPrivileges method to create and update
the list items that store the rating data. AJAX is used to
submit ratings and retrieve them without refreshing the
entire Web page. The JQuery library is used to manipulate
the CSS and associated elements in the Web Part.

When Gary Lapointe and I built the anonymous rating Web

Part, we used the same CSS as the out-of-the-box rating con-
trol so that our anonymous rating Web Part looked like the
out-of-the-box ratings control. The anonymous rating Web
Part uses cookies to determine if the user viewing the page
has previously rated the item. This approach is less fool-
proof than the other approach because a user can delete
Figure 7: Out-of-the-box rating control when a user is signed in
the cookies and rate the item again. However, this approach
lets anonymous users rate items in SharePoint without log-
the links in your Content Query Web Part to publishing ging in. For the Visio website, having people possibly rate
pages in your SharePoint websites. an item more than once wasnt considered a big enough
risk to require users to sign in.
Lesson 3: Learn How to Allow Anonymous
Users to Rate Content Techniques Help Solve Common Problems
More often than not, when you create a new website nowa- These three lessons are only some of the lessons I learned
days, one requirement is the need to let users rate content while building public-facing Internet sites on the SharePoint
in the website. SharePoint 2010 ships with functionality that platform. The techniques they teach can help you prevent
allows users to rate any list item in a SharePoint website, or solve common problems, so keep them in mind when
such as pages, videos, pictures, audio clips, or anything you build your SharePoint websites. Also keep in mind that
else you can store in a SharePoint list. However, this ratings you need to consider many other performance, usability,
functionality is designed to work only for users who are and supportability issues to make sure that your website
logged on to the SharePoint website. There are two ways to meets the needs of the website owners and end users.
implement ratings functionality in public-facing SharePoint InstantDoc ID 140142

The first way is to require users to sign in before they can

rate an item. An example of this scenario is the SharePoint
marketing website. In Figure 6, the rating for the video is
displayed in the lower right of the screen. When users arent Todd Baginski ( is a consultant, founding
signed in, the Sign In link appears below the rating control. partner, and director at Aptillon and six-time Microsoft SharePoint
When users click the Sign In link, theyre redirected to the Server MVP. He is the content author and presenter for the BCS
page where they can sign in with their Windows Live IDs. portion of the SharePoint MCM program, and a regular speaker
After they sign in, theyre redirected back to the page where at the TechEd, SharePoint Connections, and Microsoft SharePoint
they started (see Figure 7), and the ratings control is enabled. conferences.

SharePoint Pro | October 2011 23

By Celina Baginski

15 SharePoint 2010
Easily customize SharePoint to attract visitors and end users

hen I first started branding for SharePoint 2010, side. In 2010, you can pin a gallery so that a mini-gallery is
I began making a list of branding tips to share always visible below the navigation pane (see Figure 1). To
with the students in my branding courses. Here pin a gallery, hover over the link that you want to pin, then
are some of the tips that my students and I have found click the pin icon when it appears. This gallery will continue
most useful. to be displayed even if you browse to another gallery.

SharePoint Designer Tips Tip 3: Use Ctrl + click to jump to the code of a class. Both
The SharePoint Designer 2010 interface is radically different SharePoint Designer 2007 and 2010 provide a helpful feature
from the 2007 interface. These SharePoint Designer tips will that lets you click an
help simplify your work with SharePoint Designer 2010. underlined class name
while holding down the
Tip 1: Change master page content type to Publishing Ctrl key. Do this in your
Master Page. My first SharePoint 2010 branding project master page or page
included importing a master page and making a few edits. layout to go directly to
I noticed that when I imported my master page in 2010, it that piece of code. For
wasnt in the master page folder. example, if you click
In SharePoint Designer 2007, both the master pages and the in your master page, the
page layouts are stored in the masterpage folder located in corev4.css file (where
the _catalogs folder. However, in SharePoint Designer 2010 that class is located)
there are separate files, one for master pages and another opens. Additionally,
for page layouts. If you open SharePoint in a web browser youll be taken directly
and click Site Actions, Site Settings, then click Master pages to that piece of code
and page layouts in the Galleries section, youll see that within that file. Figure 1: Pinning a gallery
your master page was uploaded successfully. Youll also
notice that the icon next to the file name indicates that Tip 4: Access the
its a master page file. But why is it not showing up in the Toolbox easily. Ive
Master Pages folder in SharePoint Designer 2010? received several ques-
tions regarding open-
If you choose Edit Properties for the master page file, youll ing the Toolbox in
see in the Content Type dropdown menu that Page Layout SharePoint Designer
was the default when the master page was uploaded. As a 2010. After you have
result, the master page that you recently uploaded is in the opened an editable
Page Layout folder, not in the Master Pages folder. To change 2010 file, such as a
this, simply change the content type of your master page by master page or a .css
selecting Publishing Master Page in the Content Type drop- file, the View tab will
down menu. In SharePoint Designer 2010, refresh the Master appear on the ribbon.
Pages folder by pressing F5, and youll see your imported Just click the Task
master page in SharePoint Designers Master Pages folder. Panes drop-down list
from the ribbon, then
Tip 2: Pin a gallery. In SharePoint Designer 2007, I was used click Toolbox. (See Figure 2: Open Toolbox
to developing with the Folder List always visible on the left Figure 2.)

24 October 2011 |

Tip 5: Know the difference between Page fields and Content in the content page directive. To apply Site Master Page
fields. In the Toolbox, youll find a list of Page fields and Content using SharePoint Designer, right-click a master page file,
fields. Why are these site columns categorized differently? The and click Set as Custom Master Pagee (see Figure 4).
Page Fields category contains site columns that are inherited
from the parent content type from which the page layout was System Master Page is used by non-publishing sites, pub-
created. The Content Fields category contains site columns that lishing site subpages (such as list views, libraries, and
are specific to the content type that the page layout was created forms), dialog pop-up windows, and application pages. Its
from. Figure 3 shows a list of Page fields and Content fields. defined by the dynamic token ~masterurl/default.master
in the content page directive. To apply System Master Page
Master Page Tips using SharePoint Designer, right-click a master page file,
These master page branding tips are needed for almost and click Set as Default Master Page.
every branding project.
Tip 9: Hide content placeholders not used by SharePoint
Tip 6: Use the After property to force a .css file to load 2010. A handful of content placeholders arent required for
after another. When you reference a .css file in your mas- your SharePoint 2010 master page, but they are required for
ter page, the After property is helpful. The After property backward compatibility. If you know that your master page
is new to SharePoint 2010 and is used to force a .css file will be used only for SharePoint 2010, you can hide the
to load one after the other. For example, if you reference a backward-compatible content placeholders in your master
custom .css file in your master page and the After property page to reduce the amount of HTML thats rendered when
reads After="corev4.css", your custom .css file will load the page loads. Note that you cant delete the unused con-
after the out-of-the-box corev4.css file. You can use this tent placeholders because youll receive an error message
After property more than once to specify that an entire list saying that SharePoint is looking for that particular content
of .css files should load one after the other. In the follow- placeholder. The
ing example, customfile1.css loads after corev4.css: proper thing to do is
to hide them.
<SharePoint:CSSRegistration Name="/Style Library/
customfile1.css" After="corev4.css" runat="server"/>
The out-of-the-box
Here is another example showing how customfile2.css loads v4.master file uses
after customfile1.css: CSS to override these
content placeholders.
<SharePoint:CSSRegistration Name="/Style Library/
customfile2.css" After="customfile1.css" runat="server"/> (Search for the s4-die
class, and youll see
Tip 7: Use the $SPUrl token to reference a .css file. If you several instances of
need to make a reference to your .css file and specify that this class.) However,
its located at either the root of a site collection or at the placing these con-
root of a subsite site, you can use a $SPUrl token. Heres an tent placeholders in
example of how to reference a .css file thats located at the a non-visible panel
root of a site collection: instead of hiding
them through CSS is a
<SharePoint:CSSRegistration name=<% $SPUrl:
~sitecollection/Style Library/customfile.css %>" more efficient option
after="corev4.css" runat="server"/> that will help your
page to load faster.
And heres an example of how to reference a .css file thats Figure 5 shows nine
located at the root of a subsite site: non-required content
<SharePoint:CSSRegistration name=<% $SPUrl: placeholders in a non-
~site/Style Library/customfile.css %>"
after="corev4.css" runat="server"/>
visible panel.

Tip 8: Apply master pages to publishing sites. To apply Tip 10: Learn the
master pages to publishing sites in SharePoint, click Site master pages. Four
Actions, Site Settings, then click Master Page under Look out-of-the-box mas-
and Feel. Youll see two sections (Site Master Page and ter pages are often
System Master Page) that include drop-down lists. used for branding in
SharePoint 2010. The
Site Master Page is used by publishing content pages and is default.master page, Figure 3: Page Fields and Content Fields
defined by the dynamic token ~masterurl/custom.master also known as v3

SharePoint Pro | October 2011 25

F e a t u r e 15 Branding Tips

The second approach is to fix the width of the body area

and the entire ribbon. This works well if your design looks
best when the entire ribbon is a fixed width. However,
there will be unused space at the top of the scroll bar. To
use this second approach, add the CSS code in Listing 2 to
your master page or style sheet.

You can remove the extra white space where the back-
ground of the ribbon used to be by completely reverting
back to the browsers traditional scroll bar. To do this,
the ribbon-positioning method needs to be turned off or
removed by deleting the ID s4-workspace from the master
page. There are consequences to removing this ID from
the master page. One known consequence is that the
Gantt view of a project list no longer appears. To use this
approach, search for id="s4-workspace" and remove it
from the <div> container in your master page.
Figure 4: Apply master page from SPD 2010

The last option is to add inline styles to your master page to

master, is equivalent to the default master page in SharePoint set a fixed width to the ribbon and the main workspace. Then
2007. If you apply this master page to your SharePoint 2010 turn off the ribbon-positioning method to revert to the brows-
site, the ribbon is stripped out and the Site Actions menu ers standard scrolling system. (This topic was covered in part
is located to the right of the global navigation container. two of my article SharePoint Branding 101: Customizing Your
This is the master page thats used when SharePoint 2007 is SharePoint Site at, InstantDoc
upgraded to 2010. It can be used only when SharePoint 2010 ID 136262.)
is in SharePoint 2007 mode via Visual Upgrade.
To center the ribbon and make it a fixed width, perform
The v4.master page is the default team site master page and a search for id="s4-ribbonrow". Add a width style of
can be used for both publishing and non-publishing sites,
whereas the nightandday.master page is used only for pub-
lishing sites. The nightandday.master page is similar to the
Blueband master page that came with SharePoint 2007. The
minimal.master page is used for sites that have their own nav-
igation control or that need additional space to display con-
tent, such as the search center and Office Web Applications.

Tip 11: Use a fixed-width design. Most custom SharePoint Figure 5: Backward compatible content placeholders in a
non-visible panel
branding projects require a fixed-width site design, but
SharePoints ribbon-positioning method can create complex-
ity when youre trying to make a fixed-width site because /*This creates a fixed-width site design. Applying the
it makes the ribbon stay at the top of the page. It also fixed-width to #s4-bodyContainer keeps the scroll bar to the
far right side of the site.*/
replaces the browsers traditional scrolling method by using #s4-bodyContainer {
JavaScript to analyze the size of the page and insert a cus- width: 960px !important;
tom scroll bar underneath the ribbon. }

/* This makes the contents of the ribbon a fixed-width*/

You can choose among several approaches to implement .ms-cui-ribbonTopBars, ms-cui-tabBody {
a fixed-width design. (The following tips arent targeted to margin:auto;
anonymous-accessenabled sites.) The quickest and most }

straightforward approach is to modify a few default CSS /*This removes a white line thats underneath the ribbon and
looks out of place when the ribbons contents are a fixed-
classes to make the site a fixed width, and to match the width*/
width of the ribbons contents to that of the site design. .ms-cui-ribbonTopBars div {
border-bottom:1px solid transparent;
(The ribbons contents are a fixed width, but the ribbon }
container remains the full width of the browser.) Add the
Listing 1: Code to Make Both the Ribbons Contents and the
CSS code in Listing 1 to your master page or style sheet. Site Design a Fixed Width
Note that this approach might conflict with your design.

26 October 2011 |

960px to the <div> tag, and set the margins to auto, as You might want to add some styling around it as well so
follows: that it matches your brand.

<div id="s4-ribbonrow" class=

"s4-pr s4-ribbonrowhidetitle" style= Tip 14: Learn the CSS class s4-notdlg. Many new CSS
"width:960px; margin:auto"> classes were added to SharePoint 2010. In addition to the
s4-nosetwidth class, which was already discussed in the
To center the main workspace and make it a fixed width, master page section of this article, here is another CSS
perform a search for id="s4-workspace". Add the class tip that is often useful when branding in SharePoint 2010.
s4-nosetwidth to the <div> tag, add a width style of I mentioned in Tip 8 that the master page identified as
960px, and set the margins to auto, as follows: System Master Page will be applied to dialog pop-up win-
dows. YYoull notice several instances of the s4-notdlg class
<div id="s4-workspace" class=
"s4-nosetwidth" style= within out-of-the-box SharePoint 2010 master pages. This
"width:960px; margin:auto"> class tells SharePoint not to apply the particular element
that the class wraps around to the dialog box. For example,
Note that the class s4-nosetwidth tells SharePoint not if you create a custom master page with a custom header
to override our fixed width with inline styling when the and apply the s4-notdlg class to that element, the header
page loads in the browser. To revert to the browsers stan- wont appear in the dialog pop-up window. If you dont
dard scrolling method, search for id="s4-workspace" and apply the class s4-notdlg, the header will appear in the dia-
remove it from the <div> container in your master page. log pop-up window.

Tip 12: Manage code that provides error messages to Tip 15: Turn on full error messages. This tip isnt new to
legacy browsers. Toward the bottom of an out-of-the-box SharePoint 2010, but its still helpful. By default, SharePoint
master page, a line of code has been inserted to provide turns custom errors on so that users see a more friendly
an error message for users viewing SharePoint 2010 in an error message. However, the custom error messages dont
unsupported browser. You can insert this line of code in help designers troubleshooting an issue. To turn off custom
your own custom master pages as well. If you dont want error messaging, perform the following steps on the devel-
this warning to be presented to all users, simply remove the opment web server:
following line of code from the master page: 1. Navigate to the following site directory:
<Local drive>:\inetpub\wwwroot\wss\
<SharePoint:WarnOnUnsupportedBrowsers runat="server" />
VirtualDirectories\[sub directory with port number of
Tip 13: Add a traditional breadcrumb. SharePoint 2010 your SharePoint site]
uses a pop-out hierarchical global breadcrumb found on 2. Locate the web.con g le, and make a copy of it as a
the ribbon and a combination of site title and current page backup.
title (or list title) in the header area that can also serve as 3. In Notepad, open the web.con g le.
a type of breadcrumb. However, a lot of clients definitely 4. Search for CallStack. You will nd the following:
miss (and will ask for) a traditional breadcrumb. To add <SafeMode MaxControls="200" CallStack=
the traditional SharePoint 2007 breadcrumb to your new "false" DirectFileDependencies="10"
SharePoint 2010 master page, add this code: AllowPageLevelTrace="false">

<asp:SiteMapPath runate="server" />

5. Change the value of the CallStack and
AllowPageLevelTrace attributes to True.
/*Scroll bar is added if overflow is clipped.*/ 6. Search for CustomErrors, then change the
body.v4master {
overflow:auto; CustomErrors mode to Off.
} 7. Save and close the le.
/*This creates a fixed-width site design. Applying the fixed-
width to #s4-bodyContainer keeps the scroll bar to the far
right side of the site.*/
The cache for the website for which you changed the web
#s4-bodyContainer { .config file is invalidated and reloaded. Now the site will
width: 960px !important;
margin:auto; display the ASP.NET error page, which displays the full
} error message and the exception stack trace.
/*This makes the entire ribbon a fixed width.*/
#s4-ribbonrow { InstantDoc ID 136366
} Celina Baginski ( is the branding
Listing 2: Code to Make Both the Entire Ribbon and the Site development director at Planet Technologies. She has 6 years of
Design a Fixed Width SharePoint experience and 13 years of design experience. Over the
past 3 years, Celina has branded 40 SharePoint sites.

SharePoint Pro | October 2011 27

By Ron
on Charity

Backup and Recovery

SharePoints complex nature requires a thorough plan

harePoints business-value proposition creates sup- For IT staff, begin with these questions:
port pain for IT. Much of this pain is felt in backup Are any outsourcing contracts associated with backup
and recovery, which must occur on three levels: item, and restore, or with the related infrastructure?
site, and farm. I'd like to offer a holistic view of SharePoint Which backup and restore tools are in place? Do they
backup and restore and focus on creating and managing a support SharePoint?
sustainable, comprehensive SharePoint backup and restore Which backup and restore infrastructure is in place?
solution. To create a plan that supports all three levels Which skills that relate to backup and restore are in
above, you must place? What about skills that relate to SharePoint or
understand stakeholder requirements Microsoft SQL Server?
service level agreements (SLAs) Are there constraints within the IT environment (e.g.,
plan for a complete set of backup and restore network bandwidths, storage, tape libraries)?
components What are the existing backup rotation schedules and
consider the technical architecture windows?
evaluate backup and restore toolsets Where are the SharePoint farms? What is their con gu-
create policy and process documentation ration? How much data is involved?
provide operations and awareness training
develop a test plan (See Table 1 for additional questions.) After you complete
complete a proof of concept or pilot this, you can document service level objectives and distrib-
sign off with farm and application owners ute them for review. Youll use them next to define SLAs.
create a backup schedule
develop a governance plan Service Level Agreements
consider the backup and restore processes Defining SLAs requires a mix of technical skill, financial
skill, and political savvy. The technical aspects of most SLAs
Stakeholder Requirements are well defined and provided by the various backup and
To understand the requirements and expectations of a restore toolset venders. They have experienced staff and an
SharePoint backup and recovery plan, you must reach out abundance of documentation that can provide comparisons,
to stakeholders, including people who value statements, and technical data. The true challenge
use SharePoint daily, as a tool for collaboration is creating a solution that addresses business expectations,
run applications (or components) on top of SharePoint financing (i.e., what is being requested versus what you can
sustain SharePoint and the related infrastructure afford), and environmental realities (e.g., infrastructure read-
iness, SharePoint customizations). In your SLAs, you state
Two crucial goals are at play: to gather requirements from the facts regarding the backup and restore service:
the various stakeholders and to educate stakeholders and what will and what wont be backed up, and why
thereby proactively manage expectations. You do this by (think recovery time objectiveRTO, and recovery point
interviewing each stakeholder. To begin, ask business staff objectiveRPO)
Is the data to be backed up directly linked to revenue when data will be backed up, as well as any perfor-
generation? mance, change control, or administration implications
What is the cost per hour? data restore performance and administration
If the data is lost, what is the cost to recreate it? implications
If the data is lost, will the brand be affected? backup speed performance related to capacity plans
Is the data directly classed as corporate records? IT, site administrator, and end-user responsibilities
Who uses the data and how many rely on it? process for provisioning backup and restore
When do users access the data? process for recovering data

30 October 2011 |

SLAs must be publicized and reviewed on a regular basis to
manage expectations. Also, when you provision new farms, Topic Questions
get business and IT stakeholders to physically sign off on Policy
their understanding of SLAs that apply to those farms. What are the current policies for RTO and
RPO? Do they differ from SharePoints
Backup and Restore Components What is the data policy? What is the value
A successful SharePoint backup and restore solution also of data to the organization? What are
the compliance requirements?
includes cost, people, process, and policy to make sure that
Which administration policies must be
it meets expectations and is sustainable. These topics usu- followed to remain compliant?
ally present the most complex or unforeseen challenges, What are the security policies regarding
because backing up and restoring a SharePoint farm is a data protection and handling?
complex task. For example, you must rebuild the server or Process
servers, load Windows Server, load SQL Server, then load Which backup and restore processes are
SharePoint. Then you need to apply service packs, cumula- in place?

tive updates, customizationsand think of all the reboots How will the SharePoint backup and
restore solution affect SharePoint
involved during the build. (See www.sharepointpromag administration and use?
.com, InstantDoc ID 140201, for the Slipstreaming and Which tests must be performed to ensure
WSPs sidebar associated with the web version of this success?

article for a suggestion for customized farms.) How will the backup and restore process
affect operational windows? What jobs
are in place? How resource-intensive
Technical Architecture are they?

Backup architecture generally consists of the SharePoint People

farm (and backup agents installed on the web front ends How will the SharePoint backup and
restore solution affect current
WFEs), a staging farm (usually a single server), storage (a operations staffing? Are outsourcers
location for disk backups), and tape backup systems. From involved?

a storage perspective, I suggest that you plan the space you How will site owners and users be affected
by backup and recovery? What is their
require based on the total size of your farm databases, then role in the process?
add a safety margin. Also consider the impact of a staging Which training and awareness programs
server (usually a single server with disk space to restore the are required? What about operator
and Help desk training and user
databases) in your data center. awareness training? Which tools are
required to support the training and
Though not specific to backup and restore architecture,
your farms information architecture (i.e., how you provi-
Which tools best meet requirements?
sion and organize sites, site collections, and applications) What infrastructure exists? Are agents
is key to helping you meet SLAs, by isolating high-value available for SharePoint? Is a second
toolset and supporting infrastructure
data and configuring backup and restore jobs accordingly. If required?
high- and low-value data are combined, then meeting SLAs What is the data-center footprint (i.e.,
servers, network, storage, power, and
will be difficult because of growing backup windows and
associated recovery times. Keep in mind that SharePoint-
With which vendor(s) are agreements
specific backup toolsets dont have the throughput of a needed? Which services do they
SQL Server backup toolset. Another aspect of information
management is archiving. Some data loses its value over Do we outsource? How will that affect
service costs? What are the initial
time; refer to the Storage Networking Industry Association provisioning costs plus monthly fees?
(SNIA) Data Policy model for details. Consider archival How will the infrastructure be affected (e.g.,
more servers, networking, storage)?
solutions that migrate such data to a low-cost repository.
(Compliance-related data must be migrated to the corpo- How can capacity and recovery time be
balanced? How about SQL Server
rate records-management system.) Many organizations database sizes vs. application needs?
experience a 40- to 50-percent growth in data each year. Table 1: Questions for Creating a SharePoint Backup and
Disk costs are a small component; when you factor in per- Restore Plan
formance degradation, staffing, backup software, and data
center costs (air, power, space), the cost of having low-
value data in SharePoint and SQL Server adds up. ProcessorsIOPs) needs with an experienced SAN admin-
istrator who knows the environment well. From an opera-
Also consider the capacity and utilization of the stor- tional perspective, you want the most speed possible to
age that you use, and plan your performance (i.e., I/O keep your window small and contained. You also want to

SharePoint Pro | October 2011 31

F e a t u r e Backup and Recovery

at 20GB/Hr, versus SQL Server backup speeds that are

Component Description Notes much faster. If you have a large farm with multiple content
Operator console Backup software databases, you can see that granular backups could exceed
operator console
your backup window. You should also evaluate other
SharePoint farm Production SharePoint
farm products as part of your diligence exercise. For example,
Staging farm SharePoint farm used Should reside in Metalogix has a SharePoint tool that lets you use a simple
by some toolsets to same data Windows Explorer interface to browse content databases
stage data recovery center as the
before restoration production and retrieve content.
to the production farm, for
farm recovery speed
purposes Policy and Process Documentation
Client-facing network Client traffic network Isolate traffic to Your solution will require policy and procedural documents
reduce chance that operators, site administrators, and users can follow.
of performance
degradation Youll need these documents (accompanied by training):
Farm network Farm and operational Isolate traffic to How-to manualexplains how to back up and rebuild
traffic network reduce chance farms, and recover individual components.
of performance
degradation Help desk call-handling manualexplains how to
SAN Location for backup handle backup and recovery requests, questions to ask,
files request tracking, follow-up procedures, tools to use.
Tape library Location for Communications planincludes policy and instructions
transferring backup
files to tape regarding communications with the involved parties.
Table 2: SharePoint Backup and Restore Components
Contact listincludes media, farm owners, support,
Help desk, and others (e.g., data-center personnel).

isolate operational-related traffic so that you dont experi- Operations and Awareness Training
ence network-congestion problems. After your solution's in place, people must be trained (in
administration and operation) and stakeholders educated
Table 2 describes components of SharePoint architecture. about the solution (particularly the SLAs). You also must
Make sure to keep detailed and up-to-date documentation create general awareness of the solution. I recommend
for your environment. Tools that help with
this process are available, such as Microsoft
Single Channel Control Module (SCCM) and Product Recovery Type Site Collection Recovery
Size Depth
the free SharePoint Documentation Generator
SharePoint 2007 built- In-place recovery 100GB and less Farm and granular
( in backup recovery to site-
collection level
Backup and Restore Toolsets SharePoint 2010 built- In-place recovery 100GB and less Farm and granular
in backup recovery to list
Several tools are available for SharePoint level; requires
backup and restore. (See Table 3 for an over- Windows
PowerShell for
view of tool differences.) These differences granular restore
affect how you recover, the depth of recovery, Microsoft SQL Server In-place or staging 100GB and more Content databases
and the data center footprint required. (See 2008 R2 built-in recovery only; no
backup granularity (all, InstantDoc or nothing)
ID 140201, for the Change Control side- AvePoint DocAve In-place recovery 100GB and more Farm and granular
bar associated with the web version of this Backup and recovery to item
Restore level
article for more information.) Microsoft also
HP Data Protector Staging farm required 100GB and more Single server farm
offers a comparison of its built-in tools and with Granular and granular
System Center Data Protection Manager Recovery recovery to item
Extension for level
(DPM) at SharePoint
library/cc263427(office.12).aspx. Microsoft DPM 2007 Staging farm required 100GB and more Single server farm
and granular
recovery to item
Some tools require a staging farm to recover level
data, so you must plan for impacts to Microsoft DPM 2010 In-place recovery 100GB and more Farm and granular
people, process, policy, and tools. Also note recovery to item
that recovery speed appears to degrade with
the level of granularity. For example, list- Table 3: SharePoint Backup and Restore Tool Comparison
itemlevel backup speed has been reported

32 October 2011 |

Training for operatorsHow to back up and restore a charter that denes
the scope of the project (e.g., tech-
SharePoint, how to manage related admin tasks. nology tests, process development, performance tests)
Awareness trainingStaff such as stakeholders and archi- a stafng
plan that speci es operational staff, farm or
tects need architectural information. application owners, and vender technical staff
a test plan that species
what is being tested (e.g., farm
Follow-up sessions can reinforce key points and drive recovery, servers, datasee Table 4)
awareness. You might also create a site with information a physical environment plan that species
the technol-
about the backup solution, such as design documents, pro- ogy that the solution requires
visioning forms, backup schedules, performance data (i.e.,
the speed of backup and restore), and key contacts. The proof or pilot must also document these outcomes:
the step-by-step backup and recovery process
Test Plan any prerequisites
Testing should include two components: initial testing of backup and restore performance
the solution in a proof of concept or pilot environment, and any data loss
ongoing testing (i.e., fire drills), which should occur one a test plan report for each test
or two times per year. To test properly (and confidently), a plan for deploying the solution into production
you need a documented plan that includes test scripts and a completed impact and risk assessment
the format for documenting test results. Generally, the test
plan includes a list of tests, expected outcomes, and actual Owner Sign-Off
outcomes. The test plan should be used during the proof of When you're ready to go live with the production version
concept or pilot operation, running end-to-end tests, and for of your solution, its good practice to have a process for
getting stakeholders to sign off physically. A good test plan onboarding each farm and application. This involves qual-
displays thoroughness and helps build credibility with stake- ity checks to verify that backups complete without errors,
holders. It should include the scenarios in Table 4. restores complete without errors, and backup and recovery
times and restore points meet SLAs. Upon recovery of each
When developing test cases, include any details that you want farm or application, the owner reviews the farm, based on
tested and confirm that the results
are noted so that you can man-
age stakeholders expectations. For SharePoint Test Plan
example, the test cases for Web Date MM/DD/YYYY Test plan version Version number
Parts and for data should include Name of test operator Printed first and lastt Signature of test operator Signature
verification of metadata (column) Name of stakeholder Printed first and Signature of stakeholder Signature
last name
recovery, content types, version
history, and workflows, since Test Cases
these are important configuration Test Expected Outcome Actual Outcomes Pass/Fail
changes and their absence can Farm recovery Ability to recover Level of recoverability Pass or Fail
farm end to end Identified gaps in recovery
affect users. tools and process
Time required
Proof of Concept and Pilot Servers Ability to recover each Level of recoverability Pass or Fail
server individually Identified gaps in recovery
Whether you use a proof of (e.g., WFE fails) tools and process
concept, a pilot, or both, the out- Time required

come is generally the same: You Site collections/ Ability to recover Level of recoverability Pass or Fail
applications a site collection Identified gaps in recovery
prove that the solution works in and associated tools and process
your environment. Your proof applications Time required

or pilot must reside in your data Sites/settings Recover a site and its Level of recoverability Pass or Fail
associated settings Identified gaps in recovery
centers and in test representa- tools and process
tions of your production systems Time required

and dataset. (For pilots, you Web Parts/settings Ability to recover a Level of recoverability Pass or Fail
Web Part and its Identified gaps in recovery
might want to back up actual associated settings tools and process
production systems.) This might Time required

seem costly, but it provides a Data Ability to recover data Level of recoverability Pass or Fail
(e.g., documents, Identified gaps in recovery
quality check that ensures that pictures, other list tools and process
your solution works without sur- items) Time required

prises. Your proof or pilot must Table 4: SharePoint Test Plan Scenarios

SharePoint Pro | October 2011 33

F e a t u r e Backup and Recovery

the test plan, completing a series of tests

to verify that data was restored correctly. Job Start Completion Duration Workload
Your tests should also check the logs and Incremental SundayFriday 10:00 P.M. M-F 12:00 A.M. 2 hours Medium

verify that the expected quantity of sites Full backup Saturday 10:00 P.M. Sunday 4:00 A.M. 6 hours High
and data volumes was restored. The Virus scans Daily 4:00 A.M. Daily 5:00 A.M. 1 hour Medium
more quality checks you have, the better. SQL Server Sunday 6:00 A.M. Sunday 10:00 A.M. 4 hours High
Each owner signs off by using a paper or
electronic form. Table 5: Sample Schedule for Planning Backup Jobs

Backup Schedule
When planning your backup schedule Component Description Notes
(see Table 5 for an example), make sure to Restore
that you can recover successfully and List item Check recycle for previous version Some tools can restore at the
Check version history for previous version list library level only.
that the servers aren't saturated as a Use toolset to recover a list item
result of running multiple jobs. Consider List or library Use toolset to recover a list item SharePoint 2010 SP1 provides
the following: recovery functionality.
Should you run full backups monthly Site Use toolset to recover a site SharePoint 2010 SP1 provides
recovery functionality.
or weekly? Depending on your SLAs,
Site collection Use toolset to recover a site collection
weekly is probably best.
When should you run incremental Application Use toolset to recover an application

backups? Daily is the norm. Server Load Windows Server and all service packs Depending on the server, you
Join domain might restore data.
What is the duration of your backup Install SharePoint
jobs? You must plan backup windows Install service packs
Install customizations
to avoid overlap with other jobs (e.g., Configure SharePoint
virus scans), which could degrade Farm Load Windows Server and all service packs Consider slipstreaming as
Join domain much as possible.
performance or even cause outages.
Install SharePoint
Install service packs
Install customizations
The best approach is to list all jobs that Configure SharePoint
will run, document their duration and the Use toolset to recover data
load they place on servers, and map out a Table 6: General Steps for Recovery
visual schedule. With this, you can moni-
tor the jobs for successful completion,
increases in duration, and exceptions. and restore processes depend on the toolset used, Table 6
shows just general steps for recovery.
Backup and recovery needs tools, process, policy, and staff- To safeguard against loss from a catastrophic event, keep
ing to function properly. NonIT staff tend to oversimplify duplicate copies of backups in a separate location from the
technical aspects, while IT staff tend to complicate them. servers. Also, set a retrieval process in place, communicate
Governance creates a forum, letting the organization work it through training, and test it. As a best practice, keep three
through requirements and issues toward consensus. A gov- copies of the backup media, and keep at least one copy off
ernance plan should designate an executive decision maker; site in a controlled environment.
stakeholders from business and IT groups; tools for tracking
issues, discussion topics, and decisions; a decision frame- Keys to Success
work, and a communications plan. The key is to match business needs and expectations with
your financial budget. In addition, review the solution SLAs
Backup and Restore Processes with key stakeholders on a regular basis, since needs are
After preparation come processes. For backup, consider always in flux.
everything that you need to restore SharePoint. For recov- InstantDoc ID 140201
ery, consider what you need to recover SharePoint and the
data it contains. Are you responsible for Windows Server
recovery or is another party? Often SharePoint backup Ron Charity is the SharePoint product manager with a major
and recovery toolsets require servers to be loaded with consulting firm. He has 20+ years in infrastructure and application
Windows Server and joined to the domain. If you rely on consulting for Fortune 500 firms and SharePoint technologies
another party, work with them to obtain specifics regarding experience dating back to 2000. He is responsible for a large global
SLAs and other details. Since the actual step-by-step backup SharePoint environment with farms that service 140 countries.

34 October 2011 |

B Caroline
By Caroli Marw

Management Solutions
Enhancing the order-out-of-chaos features of SharePoint 2010

ack when SharePoint 2010 was just a smile on a You might want a solution that lets you specify a storage
Microsoft SharePoint product managers face, we ran location based on project, time period, or user access. And
a buyers guide on SharePoint document management security is important, at least to limit document view-
(see Buyers Guide: SharePoint Document Management ing via access control. Some solutions also offer support
Tools,, InstantDoc ID 102661). for compliance within specific industry and government
Since then, SharePoint 2010 was released, with improved regulations.
document management features such as the document set,
which helps users to group related documents and work- If you have a lot of paper documents to scan in, or other
flows, and metadata management that helps to bring order to information to capture, you might want to look at solutions
the chaos of document proliferation. So you might be won- that offer capture and scanning of documents, especially
dering, Why do I need a document management solution those that let you control the scanning process from begin-
now that I have SharePoint 2010? Well, SharePoint 2010 isnt ning to end and offer the ability to check image quality. Its
designed to support all document management scenarios. also helpful if fields in the scanning solution can map to
However, with the help of third-party SharePoint document SharePoint columns and to libraries for honing in on docu-
management solutions, you can make SharePoint work best ment locations.
to suit your organizations needs.
Being able to find documents is absolutely important. The
The Association for Information and Image Management ability to search indexed content is crucial, whether your
(AIIM) defines document management as the use of a documents are indexed through simple unique document
computer system and software to store, manage, and track identifiers or more precisely located via document meta-
electronic documents and electronic images of paper-based data. And depending on how your organization processes
information. As you research document management its documents, you might want a system with workflows
solutions, youll see terms such as records management built in, so managing documents is integrated logically into
and Enterprise Content Management (ECM), too. Were a users job duties.
focusing more narrowly on document management and
keeping the industry focus broad, as opposed to narrowing The buyers guide table shows some SharePoint document
it to verticals such as the pharmaceutical industry or legal management solutions were aware of, though there are
services. many others that are also industry specific. And of course,
there are some mighty big vendors just dying to whisk you
Logically, when youre looking at what you want a docu- awayy from SharePoint and into theirr document ecosystem.
ment management system to do, you want it to help make
your users jobs easier as far as working with documents The vendors we list aim to help you make SharePoint work
and storing them, and you want it to make your job easier better as a document management system. Its not neces-
with the ability to secure and audit document access for sarily a comprehensive list, but we hope it provides a good
compliance. Some kind of version control, document lock- starting point for your research.
ing, or document check-in/check-out is useful so users InstantDoc ID 139522
dont save over each others work accidentally and so
changes are noted. Additionally, being able to annotate
documents and stamp them is useful for archiving and
e-discovery. And being able to roll back to a previous docu- Caroline Marwitz ( is editor of
ment version is also helpful. SharePoint Pro magazine and manages

SharePoint Pro | October 2011 35

F e a t u r e Buyers Guide

Company Product Pricing SharePoint Search Metadata Taxonomy/ Indexing Access

Version Capabilities Search Tagging Control Features

Alexya Between SharePoint Yes Yes Yes/Yes Yes Yes

514-880-7704 $5,000 to 2010, 2007 $25,000

Cadac Organic Cadac Contact SharePoint Yes Yes Yes/Yes Yes Yes
+31-45-400-1010 Organice vendor 2010
www.organice Product
.com Suite

Colligo Networks Colligo $75 to $189, SharePoint Yes Yes Yes/Yes Yes Yes
604-685-7962 Contributor volume 2010 discounts

Dark Blue Duck Scanning $450 for SharePoint Yes Yes Yes/Yes Yes Yes
425-296-7670 Enabler v4.x five users
fi 2010, 2007

Executive Search- $5,000 SharePoint Yes Yes Yes/Yes Yes Yes

Technologies Express/ 2010, 2007
205-985-7686 SharePoint
www.searchexpress Document
.com Manage-

FileHold Systems Document $3,750 for SharePoint Yes Yes Yes/Yes Yes Yes
877-833-1202 Manage- fi
five-user 2010, 2007
fi ment system
.com Software

Kaldeera Kaldeera $600 SharePoint Yes Yes Yes/No No Yes

678-608-1383 ScanIN 2010, 2007

Kofax Kofax Contact SharePoint No No No/No Yes Yes

949-783-1000 Enterprise vendor 2010, 2007 Capture for

MacroView MacroView $77 per seat SharePoint Yes Yes Yes/Yes Yes Yes
866-589-4939 DMF 2010, 2007

OpenText OpenText Contact SharePoint Yes Yes Yes/Yes Yes Yes

800-499-6544 Application vendor 2010 Governance
& Archiving
for Microsoft

PSIGEN Software PSI:Capture $995 to SharePoint Yes Yes Yes/Yes Yes Yes
949-916-7700 $17,000 2010 depending
on modules
and vol-

Vizit Vizit Starts at SharePoint Yes Yes No/No Yes Yes

855-849-4887 $999 2010, 2007

Editors Note: Some vendors you might expect to see in this Buyers Guide said they didnt have a product that exactly matched the
criteria or didnt respond to our requests for information about their products.

36 October 2011 |

Audit Editing/ Version Check-in, Document Roll Back File Export Scan Integrated Ability to Document
Trail Annotation Controls Check-out Locking Capabilities Types Capabilities Workflows Specify Lifecycle
Capabilities Capabilities Storage Control

Yes Yes Yes Yes Yes Yes PDF No Yes Yes Yes

Yes Yes Yes Yes Yes Yes PDF, XLS, Yes Yes No Yes

Yes Yes Yes Yes Yes Yes Not No Yes Yes Yes

Yes Yes Yes Yes No Yes PDF, Yes Yes Yes Yes

No Yes No No No No DOC, XLS, Yes Yes Yes No


Yes Yes Yes Yes Yes Yes PDF Yes Yes Yes Yes

Yes No Yes Yes No Yes PDF, JPG, Yes Yes No Yes


Yes No Yes No Yes No TIFF, PDF Yes Yes No No

Yes Yes Yes Yes Yes Yes DOC, XLS, No Yes Yes Yes

Yes Yes Yes Yes Yes Yes PDF, XPS, Yes Yes Yes Yes

Yes Yes Yes Yes Yes Yes PDF, TIFF, Yes Yes Yes Yes

Yes Yes Yes Yes Yes No Over 400 Yes Yes No No


SharePoint Pro | October 2011 37

N ew &E n ha n c e d Prod ucts
Product news for SharePoint Byy Caroline
aroline Marwitz
admins, devs, and end users

Office 365 Compatibility

S howing that companies in the SharePoint solution
world are increasingly committing to SharePoint
Online in spite of Microsofts lag in making the collabor-
forr smaller companies to manage content within Micr
Office and the more basic SharePoint Foundation 2010 as
well, providing
viding an entry into online content management
managemen in
ative aspect of Office 365 truly enterprise-ready, Work- an on-premises-like
on-premise solution.
share recently announced Office 365 compatibility with
its Workshare Point document management solution for The latest version will provide the ability to preview
SharePoint. Outlook messages stored in SharePoint while the user is
in Outlook, support for site collections, a new SharePoint
Workshare Point 1.2, a solution that integrates SharePoint email folder pane for improved filing and synchronization,
with Microsoft Office, will now enable users to connect to and improved auto-profiling using document and email
a SharePoint Online server hosted by Microsoft in its Office metadata. See the companys website for more information:
365 cloud solution. Workshare has also added the capability

SharePoint Backup and Recovery

R ecently, Syncsort reported that it had enhanced its backup
solution for SharePoint. Now NetApp Syncsort Integrated
Backup (NSB) includes virtual node technology to protect
VMware environments, enabling conversion of a SharePoint
backup, whether physical or virtual, to a virtual machine.
NSB also protects physical servers, enabling a full system
SharePoint by automatically discovering all the servers and bare metal restore from a backup job, and it includes NetApp
server roles in a farm, and protecting them under a single SnapMirror replication software to allow backups to be repli-
check-box item. NSB restores all aspects of a SharePoint cated to an alternate site for full, multi-site disaster recovery.
environment including individual objects or documents, a It supports both SharePoint 2010 and SharePoint 2007. See
SharePoint site, a database, or an entire farm. It integrates with Syncsorts website:

Auditing SharePoint
Advertising Index
M onitoring SharePoint activity is crucial for meeting
compliance and security requirements, and simply
for keeping tabs on whats going on with your SharePoint
Advertiser Page URL

implementation. LOGbinder SP writes SharePoint audit CompuSight Cover 3

events to the Windows event log. And LOGbinder SP SIEM
Critical Path Training 4
edition adds alerting, reporting, and secure, long-term
archiving of SharePoint audit logs. Sharepoint Connections 28, 29
Fall 2011
We originally built LOGbinder SP Agent Edition
with security teams in mind who already had a log 8, 9
management-SIEM solution in place and just needed to
Idera 2
get access to SharePoint audit logs with all the cryptic
codes translated and resolved, says LOGbinders Randy SQL Server Magazine 38
Franklin Smith. But we found that many SharePoint teams
often dont have a log management-SIEM solution already SurfRay Inc Cover 2
in place, yet they still need alerting, reporting, and log
archiving. And that is what our SIEM edition provides. To Windows IT Pro 10, 17
learn about SharePoint logging and LOGbinders solutions,

SharePoint Pro | October 2011 39

SharePoint Q&A
n Bart
By and
Wilansky M Dono

Q: Failure Loading Item Picker Whichh sign-in page you see depends upon how youvee
shows in the ULS log. Help! configured
nfigured claims-based
c authentication.

A: While developing a Business Connectivity Services If youve enabled both Windows and forms-based
(BCS) .NET Connectivity Solution in Visual Studio 2010, authentication
uthentication for a zone, youll see the sign-in page
you add a filter descriptor to your entity and deploy the containing a drop-down list that lets you choose how
solution, but displaying the item picker data fails. In the youd like to log in. This version of the page is located at
SharePoint Unified Logging Service (ULS) log, you see an \{SharePointRoot}\TEMPLATE\IDENTITYMODEL\LOGIN\
error message that begins Failure loading item picker. default.aspx.
Attempting to deserialize an empty stream. If youve only enabled forms-based authentication (and
not Windows), youll see a sign-in page that contains the
This is a classic example of the underlying out-of-the-box standard user name and password fields youd expect to see.
Business Data Connectivity (BDC) service code not catching This version of the page is located at \{SharePointRoot}\
this error condition early enough, and then sending you an TEMPLATE\IDENTITYMODEL\FORMS\default.aspx.
ambiguous message. One possible reason for the error is
that you didnt add the filter descriptor to a Finder method Solution: The master page used by the sign-in pages places
(typically called ReadList) as an input parameter to the the icon inside an ASP.NET content placeholder, making it
method in the associated service class. easy to change. I recommend you create a Solution Package
(WSP file) for final deployment, but so you can see whats
Solution: After adding the filter descriptor name as an going on, here are the manual steps:
input parameter to the Finder method, be sure to delete the 1. Go to the location of your current sign-in page (one of
associated external content type from Central Administration the two locations I described above).
before redeploying the model. Also, verify that the method 2. Copy the default.aspx page to a new folder youve
has a Where clause to accommodate the filter descriptor. For created (perhaps named after your company) under
example, lets say you have an Entity named Car with an \{SharePointRoot}\TEMPLATE\LAYOUTS. That way
associated service class named CarService. You have defined youre not changing out-of-the-box les.

a filter descriptor named ColorFilterDescriptor so that users 3. Open the copied le
in a text editor and add the
can filter cars by color. This filter descriptor is associated following ASP.NET content tag:
with the color type descriptor in the Car entity. The color
<asp:Content ContentPlaceHolderId=
type descriptor is defined as an In parameter in the model. "PlaceHolderIcon" runat="server">
In the ReadList method of the CarService class, you must <img src="/path/to/new/icon.gif" runat=
"server" />
add the Color In parameter of the Car entity as an input </asp:Content>
parameter of the Finder (ReadList) method. In addition, you
must add a Where clause to your ReadList method that will 4. Save the le.

filter the value a user passes in for the ColorFilterDescriptor. 5. Open Central Administration, and go to the Web
Ethan Wilansky Application Management page.
InstantDoc ID 136309 6. Select your web application, and click Authentication
Providers in the ribbon.
Q: How do I change the icon on the 7. In the pop-up dialog box, click the link for the zone
where you want your new sign-in page.
sign-in page in SharePoint 2010? 8. For the Sign-In Page URL setting, choose Custom
Page, and set the URL to ~/_layouts/
A: Youve turned on claims-based authentication for YourFolder/default.aspx (or wherever you put your
a web application in SharePoint 2010, and youve also new page).
enabled the Forms-based authentication option in the
authentication settings for one or more zones. When you Now your sign-in page should display your new icon. I
browse to the site, the sign-in page shows an error icon (red hope its much more user-friendly than the big red X.
circle with a white X) on it, and youd like to replace that Bart McDonough
icon. InstantDoc ID 136377

40 October 2011 |